DMARCbis Takes the Place of DMARC: What’s in It for Senders?

Estimated reading time: 5 minutes

What is DMARCbis?

DMARCbis is the updated version of the current DMARC email authentication standard, which is expected to be released in 2025. It is to note that the modifications proposed by the Internet Engineering Task Force (IETF) working group aren’t eradicative – they are aimed at improving security and effectiveness of the protocol.

What are DMARCbis Updates?

The changes suggested by the IETF DMARC working group affect particular DMARC tags and the determination of the organizational domain. Some tags will be eliminated as obsolete; instead new tags will be introduced to strengthen the domain security.

DMARC tags to be discontinued:

pct – this tag is currently used to specify the percentage of the messages failing DMARC, to which the policy is to be applied. The main reason for eliminating this tag is the inaccuracy and inconsistency in calculating the defined percent of messages.

rf (aggregate report format) and ri (interval between aggregate reports) – these tags are to be eliminated in order to simplify the DMARC reporting process. With DMARCbis, email senders will continue to receive aggregate reports to the email address(es) specified in the RUA tag but they will not be able to specify the format and interval for the reports.

DMARCbis tags to be added:

t – this tag replaces the pct tag; it means “testing mode” and has these values:

y – equals pct=0 and indicates that the published DMARC policy must not be applied to failing messages;
n – default value; equals pct=100 and indicates that the published DMARC policy must be applied to all the emails falling DMARC.

np – this tag means “non-existent subdomain policy” and enables domain owners to apply a policy to a non-existent subdomain.The np tag can have the same values as the p and sp tags. By utilizing this tag with an enforcement value of ‘quarantine’ or ‘reject’, domain owners can add an extra layer of protection against fraudulent emails sent from a phony subdomain.

psd – this tag means “public suffix domain”; it indicates that the domain is a public suffix domain (PSD) operated by a registry, and denotes the root domain of the Header From domain. The psd tag will have the following values:

y – the psd tag with the y value indicates that the domain is a PSD. The Organizational Domain and DMARC Policy Domain relevant to the message in question will be ascertained using this information;
n – this value indicates that the DMARC record is published for a domain, which is not a PSD but is an organizational domain for itself and its subdomains;
u – this value indicates that the DMARC record is published for a domain, which is not a PSD, and it may or may not be an organizational domain for itself and its subdomains. The organizational domain in this instance is established by the DNS Tree Walk procedure, which implies connecting a domain name to an IP address by exploring the Domain Name System.

Other Updates

To better support Public Suffix Domains, the DNS Tree Walk method takes the place of the Public Suffix List mechanism.

DMARCbis advises against using mailing lists with a p=reject policy since email forwarding and mailing lists can impede email authentication.

How to Be Compliant with DMARCbis

To benefit from the changes when DMARCbis is adopted, domain owners should check and update their DMARC records as follows:

Remove discontinued tags such as pct (percentage), rf (report format), and ri (report interval);
Add new tags: np (non-existent subdomain policy), psd (public suffix domains), and t (testing mode).

It is to note that the current v=DMARC1 records will still remain valid after the release of DMARCbis standard. However, it is advised to update the DMARC records in order to be compliant with the latest version of this email authentication protocol.

How GlockApps Helps

With the goal to help domain owners take advantage of the DMARC authentication mechanism, GlockApps DMARC Analyzer allows users to generate a DMARC record following the latest standards. The processing of DMARC reports is made fully automated. Any email authentication breaches can be instantly spotted thanks to the system alerts.

Get free 10,000 DMARC messages per month

Frequently Asked Questions

1. Will the current DMARC record stop working after the DMARCbis release?

No, it won’t. The current DMARC records will continue working after the DMARCbis standard is adopted.

2. Why would I need to update the current DMARC record after the DMARCbis release?

It is highly recommended to update the DMARC record because DMARCbis will provide new tags that will help improve the domain security and simplify the policy application. Discontinued DMARC tags should be removed from the record to make it compliant with the new standard and provide the highest level of domain protection.

3. How to update a DMARC record in order to be compliant with DMARCbis?

You’ll need to remove the discontinued tags if they exist in your current record: pct (percentage), rf (report format), and ri (report interval). Instead, you may add new tags such as:
– t (testing mode) with the value 0 if you don’t want to apply the policy at all Without this, the default t=100 tag will be applied;
– np (non-existing subdomain policy) with a ‘quarantine’ or ‘reject’ value to apply the policy to all non-existing subdomains on your main domain;
– psd (public suffix domain) with the y, n, or u value.

4. Will DMARC report processing tools be able to handle DMARCbis reports?

Yes, they will. Nothing will be changed in the report format. The reports will be received and processed as normally.

5. When is the DMARCbis publication expected?

The release of the new DMARCbix standard is expected by the end of 2025.