Domain-based Message Authentication, Reporting, and Conformance (DMARC) has been around since 2012, and ever since then, it has become a standard for protecting outgoing emails against impersonation and unauthorized use of a domain.

DMARC, when it was first launched, wasn’t a mandatory protocol but simply a best practice that email service providers (ESPs) encouraged you to implement. However, as cyberattackers became increasingly sophisticated and attacks became more complex, it became the norm.

Today, things have come so far that DMARC alone isn’t enough to defend against the wide spectrum of modern email threats. We say this not because DMARC is a weak security protocol, but because attackers have now learnt to target its blind spots. They know where DMARC fails— when forwarding emails, using mailing lists, or when internationalized domain names (IDNs) create problems.

So, what do we have next that is more formidable than DMARC?

DMARCbis is the next-generation authentication protocol that serves as a much-needed upgrade to DMARC. In this article, we will understand what DMARCbis really is and what the key features of this upgrade are.

What is DMARCbis?

DMARCbis is an upgraded version of DMARC that builds on what already works, but fixes the things that don’t. Also known as DMARC 2.0, it is currently being developed by the Internet Engineering Task Force (IETF). When it is ready and approved, it will soon replace the existing versions: RFC 7489 and RFC 9091.

Apart from patching the gaps left by DMARC, one big change is that while the original DMARC was published as an “Informational” document, DMARCbis will be a Proposed Standard. That means it’s more official and reflects how widely DMARC is now used and trusted across the email world.

The goal of DMARCbis remains the same: to help domain owners protect their domains from misuse, ensure their legitimate emails are delivered, and receive reports on how their domain is being used.

What’s New?

Now that we know DMARCbis is essentially a more advanced version of DMARC, let us take a look at what really changed and how DMARCbis can help you strengthen your defenses:

Better Clarity on Terms and Guidelines

One of the biggest problems that most organizations face with DMARC is its confusing language and loosely defined rules. DMARCbis addresses this issue with more clearly articulated rules and guidelines, ensuring that you know exactly what to do and leaving no room for confusion.

Full Participation Rules

DMARCbis now clearly spells out what both senders and receivers need to do to fully take part in the system. If you’re a domain owner, it means your emails should pass both SPF and DKIM checks, you need to publish a DMARC record, and you should actually look at the reports you get. If you’re an email receiver (like Gmail or Outlook), you’re expected to evaluate those records, run the necessary checks, and send daily reports back to the domain owner.

New Updates in DMARC Tags

DMARCbis introduces several new tags to provide domain owners with more control. The psd tag helps apply policies correctly to public suffix domains like ‘.gov.’ ‘.in,’ ‘.edu,’, or ‘au.’ The ‘t’ tag lets you signal that you’re testing your setup, so receivers know not to fully enforce your policy just yet. The ‘np’ tag sets rules for subdomains that don’t exist, helping block spoofing from fake subdomains. At the same time, older tags like ‘pct,’ ‘rf,’ and ‘ri’ are being removed to simplify things. And just like before, your DMARC record will still start with v=DMARC1.

Easier Domain Delivery

Instead of relying on the Public Suffix List, DMARCbis uses a new method called DNS Tree Walk to figure out the main (organizational) domain. This change makes it easier for complex domains, like gov.uk or similar government and institutional setups, to apply DMARC rules correctly and consistently.

Seamless Reporting

With DMARCbis, aggregate reports are now stricter and more well-defined in the XML format. The updated version features new tags that more accurately reflect how email functions in the real world. This will give you a better understanding of how your emails are really performing and what problems you’re facing.

What to do to Implement DMARCbis?

Although DMARCbis isn’t out yet, it’s the right time to build a solid foundation and prepare yourself for the transition.

Here’s what you will need to do to authenticate your emails with DMARCbis:

Analyze Your DMARC Record

Take a look at your current DMARC setup. Make sure you’re not using outdated tags like ‘pct’ or ‘rf,’ since those will no longer be supported. Also, double-check that your primary domain (the base domain) has a valid DMARC policy in place.

Learn More About Tree Walk

DMARCbis uses a new method called **DNS Tree Walk** to figure out which domain the DMARC policy applies to. If your domain has a lot of subdomains, it’s a good idea to test how each one behaves with this new system—just to be on the safe side.

Understand the psd Tag

If your domain setup is complex due to public suffixes or custom domain levels, ensure you explore the ‘psd’ tag. It informs DMARC where to start and stop your domain’s policies, so that everything works as expected.

Rounding Up

It’s needless to say that DMARCbis is a much-needed upgrade for today’s cyberattack landscape. It builds on the groundwork laid by DMARC and fills in the gaps that have been discovered by attackers. With the right approach, you can also transition from a basic setup to a more advanced one.

Want to help your clients make the strategic move? I can make things easier for you and your clients with my words!

Hi, I am Daksh Kaur, and I can help you turn complex security updates like DMARCbis into clear, actionable steps. Feel free to reach out to me at daksh@turtlewords.com, and let’s work together to make your blog section more insightful, engaging, and trustworthy.