Make your logo visible in the inbox: a DNS config to satisfy DMARC and BIMI

I just heard of BIMI for the first time a few weeks ago. Most of the resources I can find are trying to sell DMARC management services. While these services are useful and valuable I was trying to figure out some rules of thumb to self manage my own DNS with regard to DMARC/DKIM/SPF/BIMI compliance.

First, set up email subdomains to stay under the SPF 10-record limit.

Each domain can have a maximum of 10 SPF records in each DNS TXT record. If you have more than 10 SPF records either the ISP might ignore the entire DNS record or only consider the first 10.

You will reach the 10-record limit very quickly if all business units attempt to use your company’s root domain name (bob@acme.com or sales@acme.com) the “from” email address for their outbound mails.

As you will see, the number of domains that will vie for space on the root domain adds up very quickly.

Software serviceDepartmentwhat do they send?
GmailEveryoneall emails
MailchimpMarketingEmail blasts
Blog platform (WordPress, Squarespace, etc)MarketingBlog announcements
CRM (Salesforce, Hubspot, etc.)SalesCorrespondence with customers
e-commerce (Squarespace, Magento, etc.)SalesPurchase receipts
Customer Support (Zendesk, etc.)SupportHelp tickets
Surveys (SurveyMonkey, etc)MiscellaneousProduct survey, customer satisfaction survey, etc.
Transactional emails (Mailgun, Sendgrid, Sparkpost, AWS SES)EngineeringThings related to your apps
Engineering Internal Services (Jenkins, datadog, github)EngineeringStuff engineers look at
Legal things (DocuSign, etc)Legal
Finance (ADP, Carta, etc)Finance
Recruiting emailsHR
More stuff! JIRA, ASANA, Slack, BOX, DropboxEveryone
Various outbound emails & vendors that might use your domain name

See that? 13 rows worth of business functions where you could potentially want to send emails on your behalf.

If you have business units that use a lot of different emails for them (or perhaps you have a lot of individual IP addresses) you will likely hit the 10-record limit pretty quickly.

One company, Valimail, has a solution for this problem but it costs money. You can solve this problem for free by sending through different subdomains. My proposed solution is to, loosely, divide the domains by business function so that (1) recipients have some clue of who is sending the email and (2) you can narrow down deliverability issues based if you know which vendor each department is using. Since each function gets its own subdomain you might like to put a vendor in more than one subdomain (if multiple domains are supported). SurveyMonkey, for example, might be used for more than one business function.

  • Selling stuff: biz.acme.com
    • Sales
      • hubspot
      • salesforce
      • squarespace
  • Helping people: help.acme.com
    • Support
      • zendesk
    • Transactional (password reset, billing?)
      • sendgrid
      • mailgun
      • AWS SES
  • Marketing: email.acme.com
    • Bulk email
      • Iterable
      • Mailchimp
      • Pardot
      • Marketo
      • etc.
    • Surveys
      • SurveyMonkey
  • Product: app.acme.com
    • Transactional (you did something in the app!)
      • Sendgrid/Mailgun
    • Notifications (X sent you a message)
      • Sendgrid/Mailgun

Next, set up your DKIM & SPF

In order to pass DMARC both your SPF and DKIM need to validate.

The SPF record means that you added the 3rd party services to your DNS, as described above.

The DKIM means you configured the appropriate signature key in the sending service. The sending service will add the DKIM signature to the header of every email you send through that service.

Now, monitor the results of your DMARC (SPF+DKIM) configuration

Using a service such as Valimail, you can get reports of which domains and IP addresses are attempting to send mail using your domain names. If you recognize IP addresses or domains that are “failing” then you need to check configuration of those services.

Definitely a phish/spam/spoofer

When DMARC is “passing” for all of your domains and IPs you are now ready for BIMI!

Actually you can set up these records before passing DMARC. But you won’t get the snazzy BIMI logo until your DMARC gets a clean bill of health.

Add a TXT record to your DNS:

default._bimi.acme.com

v=BIMI1; l=https://cdn.acme.com/_email/logos/acme-icon.svg

Posted in Miscellaneous