The Technical Relationship Between SPF, DKIM, DMARC, and BIMI Explained Simply

• SPF (Sender Policy Framework): This protocol checks if the sending mail server is authorized to send emails for your domain. It uses DNS records to define which servers are allowed to send on your behalf, helping block fake senders.
• DKIM (DomainKeys Identified Mail): DKIM adds a digital signature to each outgoing email. This allows the recipient’s server to verify that the email hasn’t been tampered with and that it really comes from your domain.
• DMARC (Domain-based Message Authentication, Reporting & Conformance): DMARC ties SPF and DKIM together, ensuring the domains they validate match the visible “From” address. It also lets you set policies for what to do with emails that fail authentication—quarantine or reject them—and provides reporting on authentication results.

• BIMI (Brand Indicators for Message Identification): BIMI is the “bonus” that comes after you’ve set up SPF, DKIM, and DMARC correctly. Once your domain passes these checks, BIMI lets you display your brand’s verified logo next to your emails in supported inboxes.
• Technical Requirement: BIMI only works if your DMARC policy is set to “quarantine” or “reject,” not “none.” This ensures only authenticated, trusted emails can display your logo, protecting your brand from spoofing.
• How It Works: You publish a BIMI record in your DNS, pointing to your logo file (and sometimes a Verified Mark Certificate). When an email passes SPF, DKIM, and DMARC, the recipient’s mail server checks for a BIMI record and, if present, displays your logo in the inbox.

• Security: SPF, DKIM, and DMARC work together to block phishing, spoofing, and unauthorized use of your domain.
• Trust: BIMI rewards strong authentication by making your brand instantly recognizable in the inbox, boosting recipient trust and engagement.
• Visibility: Only domains with robust authentication and DMARC enforcement can use BIMI, ensuring that only legitimate brands benefit from enhanced inbox branding.

Think of SPF, DKIM, and DMARC as the security checks at the front door. Only after you’ve passed all three can you hang your brand’s logo (BIMI) proudly in the window for everyone to see.

1. Set up and test SPF and DKIM records in your DNS.

2. Enforce DMARC with a policy of “quarantine” or “reject.”

3. Create a BIMI DNS record pointing to your verified logo (and VMC if required).

4. Monitor authentication results and logo display in recipient's inboxes.

Explore our FAQ on Why DMARC Enforcement Is the Foundation of Successful BIMI Deployment for more on policy requirements.

SPF: Authorizes sending servers for your domain.

DKIM: Signs emails to prove integrity and authenticity.

DMARC: Aligns and enforces SPF/DKIM, blocking fakes.

BIMI: Displays your logo only after all checks pass, boosting brand trust and visibility.