DMARCbis Explained – What’s Changing and How to Prepare
by
Last Updated: 4 min read
The Domain-based Message Authentication, Reporting, and Conformance (DMARC) protocol is undergoing a significant update since its initial publication. Known as DMARCbis, the redefined specification, which is still in draft, aims to address long-standing challenges in email authentication. Here’s everything you need to know about what’s changing and how to prepare.
Current Status: Internet Draft
Phase: Last Call
Expected Publishing Date: Not specified
Obsoletes: RFC 7489 & 9091 (if approved)
Source: DMARCbis Draft
Key Takeaways
- DMARCbis is the updated successor of the original DMARC protocol, aiming to improve clarity and alignment.
- It redefines the Public Suffix List (PSL) with a more reliable DNS Tree Walk to identify the organizational domain.
- Tags like pct, rf, and ri are being deprecated to simplify implementation and reduce confusion.
- A few new tags, like psd, np, and t are being introduced to clearly define public suffix domains and help manage policy inheritance.
- The DMARC record version stays the same (v=DMARC1) for backward compatibility.
- Existing DMARC setups with valid base domain records will continue to work without immediate changes.
- PowerDMARC can simplify your transition by automating record management, offering expert guidance, and providing visibility across all your domains.
What is DMARCbis?
DMARCbis is an updated version of the original DMARC specification, developed by the IETF (Internet Engineering Task Force). It builds on the foundations of RFC 7489 and RFC 9091 and, if approved, obsoletes them, introducing revisions that clarify ambiguities in the protocol. While its predecessor was an Informational RFC, DMARCbis is on track to be published as a Proposed Standard, signaling wider consensus and industry readiness.
DMARCbis will primarily focus on clarity, security, and better domain alignment. Despite being redefined, the v=DMARC1 tag remains unchanged to preserve backward compatibility.
Key Changes in DMARCbis
| Feature | Original DMARC | DMARCbis (New Changes) |
|---|---|---|
| Domain Lookup Method | Uses Public Suffix List (PSL) | Redefined with DNS Tree Walk (traverses up domain hierarchy, stops at psd=y or psd=n). Max 8 levels. |
| Tags | Supports pct, rf, ri | Removes pct , ri, and rf (simplifies protocol). |
| New Tag | None | Adds psd (explicitly marks public suffix domains), np, and t tags. |
| Policy Clarity | No guidance on policy inheritance | Clear rules for domain owners to control inheritance via psd. |
| Specification | Complex, less structured | Simplified docs, better examples, and terminology. |
| Compatibility | v=DMARC1 records | No change – old records still work. |
1. DNS Tree Walk Redefines Public Suffix List
The Public Suffix List (PSL) is redefined with a DNS-native Tree Walk method to determine the Organizational Domain.
The DNS Tree Walk algorithm traverses up the domain hierarchy to find a valid DMARC record. This allows domain boundaries to be defined natively in the DNS and eliminates the need for third-party suffix lists. The walk stops when it finds a valid DMARC policy record that includes the psd=y (public suffix domain) or psd=n (organizational domain) tag. This tells the system where the organizational domain is.
If no such policy is found, the search continues up to a maximum of 8 levels.
2. Deprecated Tags
The following tags are being removed to streamline the protocol:
- pct (percentage-based policy application)
- rf (report format)
- ri (report interval)
3. New and Updated Tags
- The new psd tag defines Public Suffix Domains more clearly, helping domain owners control policy inheritance in Tree Walks.
- The t tag is a signal to the receiver (validator) that the domain owner is in a testing phase and may not want full enforcement of the policy (p, sp, np). It does not change how DMARC reports are generated, and does not affect policies that are already set to none.The behavior is advisory as receivers can choose whether or not to act on it.
- The new np tag (non-existent policy) specifies the DMARC policy to apply to subdomains that do not exist (i.e., domains that don’t resolve or aren’t registered as active zones).
4. “Full Participation” Requirements
New guidelines define what it means for domain owners and receivers to fully support DMARC, setting clearer expectations and improving interoperability.
5. Improved Specification Format
The document has been restructured with better examples, clarified terminology, and a cleaner layout, making implementation easier for all stakeholders.
What Stays the Same?
- Existing DMARC records using v=DMARC1 remain valid.
- The core DMARC mechanisms for SPF, DKIM, and alignment still apply.
- The policy tags (p, sp, rua, ruf) remain central to DMARC functionality.
Impact on Existing DMARC Deployments
The DMARCbis update is backward compatible and doesn’t impact existing RFC 7489 compatible deployments. New tags are optional, so current setups remain unaffected. While auditing your records is recommended for streamlined authentication, no immediate action is needed if your DMARC is correctly configured.
How to Prepare for DMARCbis
Although the changes are not disruptive, organizations should start preparing to future-proof their email security posture. Here’s how:
- Review Your DMARC Records: Audit your current record to ensure soon-to-be deprecated tags like pct or rf are removed. Make sure the base (organizational) domain has a valid DMARC policy.
- Understand the Tree Walk Model: Ensure your subdomains will inherit policy as expected under the new hierarchy-based mechanism. For complex setups, simulate the DNS Tree Walk logic to verify behavior.
- Consider the psd Tag: Familiarize yourself with psd=n or psd=y to explicitly define domain boundaries if your domain structure requires it.
- Educate Your Security Team: Ensure your email and security teams are aware of these upcoming changes and understand their implications for authentication and deliverability.
How Can PowerDMARC Help
PowerDMARC can help organizations seamlessly transition to DMARCbis through a combination of automation, visibility, and expert guidance.
- Automated DMARC, SPF, and DKIM setup and management via a centralized email authentication dashboard
- Simplified reporting offering complete visibility into email channels
- Hosted solutions for seamless policy upgrade and record optimization
- A team of dedicated experts to help you navigate through issues and changes in real-time.
Ready to simplify DMARC? Contact PowerDMARC to get a free 1:1 consultation with one of our in-house experts today!
Final Thoughts
DMARCbis offers more flexibility, clarity, and control, especially if you want to manage DMARC policies for subdomains separately. While no urgent action is needed, you can choose to make necessary preparations for better domain authentication management.
Domain & Email Security Expert at PowerDMARC
Yunes is an Operations Team Lead at PowerDMARC with expert knowledge in email authentication and security. Yunes is a Microsoft-certified Azure Administrator Associate with certifications in CompTIA A+ and many more.
Latest posts by Yunes Tarada (see all)
