Which Domains Should Get BIMI First?
Start with your primary active sending domain — the domain that appears in the header From: address for your highest-volume consumer-facing email. That is where logo display will have the most immediate reach. Defensive domains, parked domains, and redirect-only domains do not send email and are not candidates for BIMI.
The RFC5322.From Domain Is What Matters
BIMI is evaluated against the RFC5322.From domain — the address visible to the recipient in the “From” header of the email. It does not matter how many domains your organization owns; only the domains actually appearing in the header From: field of outbound email are relevant to BIMI. A company that owns 50 domains but sends all email from one primary domain needs BIMI on that one domain to achieve logo display.
Before planning any BIMI deployment, map your sending topology: which domains actively generate outbound email, what volume comes from each, and which audiences receive that email. This inventory determines your actual candidate list — typically far smaller than your total domain ownership.
Domain Type Priority
| Domain Type | Priority | Reasoning |
|---|---|---|
| Primary sending domain — consumer email (header From:) | First | Highest volume, most recipient exposure. The highest-return deployment target. |
| High-volume transactional subdomains (if different logo required) | Second | Only if using a different logo. Same-logo subdomains are covered by the BIMI discovery fallback from the apex domain — no separate setup needed. |
| Secondary active sending domains with significant volume | Second | Additional domains sending to BIMI-participating inbox providers benefit from logo display if DMARC enforcement is already in place. |
| Internal-only or low-volume notification domains | Defer | Low external recipient exposure. Validate the sending volume and audience before committing to certificate cost. |
| Defensive, parked, or redirect-only domains | Skip | No outbound email = no BIMI lookup = no benefit. Secure these with DMARC p=reject and v=spf1 -all, but no BIMI record or certificate is needed. |
Readiness as the Deciding Factor
Within your list of active sending domains, prioritize the ones closest to BIMI eligibility. DMARC enforcement at p=quarantine or p=reject is the prerequisite that takes longest to establish. A domain with DMARC enforcement active, an existing registered trademark, and a compliant SVG logo can move through CA validation in days. A domain still at p=none needs careful DMARC ramp-up before BIMI is viable.
- DMARC at
p=quarantineorp=reject - Trademark registered and active
- Logo in SVG Tiny PS format or convertible
- Domain in active use for consumer-facing email
- DMARC still at
p=none— needs ramp to enforcement - Trademark application pending, not yet registered
- Logo does not meet SVG Tiny PS requirements
- Domain does not send to BIMI-participating providers
Subdomains sending the same logo as the apex domain do not require their own BIMI records or certificates. The BIMI discovery fallback covers them once the apex domain has a valid BIMI record and certificate. Deploy at the apex first; same-logo subdomains follow without additional certificate cost. See Do Subdomains Inherit BIMI Records or Need Separate Setups?
Maximizing Value with Multi-Domain SAN VMCs
When rolling out BIMI across a complex brand portfolio, Multi-Domain certificates allow you to group multiple sending domains under a single Verified Mark Certificate for multi-domain BIMI deployment once they reach compliance readiness. Multiple domains may be included through SAN fields, subject to CA product limits, validation rules, and the requirement that the same approved logo identity applies.