---
title: "Is DMARCbis a game-changer or just an upgrade to DMARC? | DMARC Report"
description: "Is DMARCbis a game-changer or just an upgrade to DMARC? from DMARC Report explains practical steps for email authentication, domain protection."
image: "https://dmarcreport.com/og/blog/is-dmarcbis-a-game-changer-or-just-dmarc-upgrade.png"
canonical: "https://dmarcreport.com/blog/is-dmarcbis-a-game-changer-or-just-dmarc-upgrade/"
---
Quick Answer
DMARC (RFC 7489) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible \`From\` header. According to Google's February 2024 bulk sender requirements, a DMARC policy of at least \`p=none\` is now mandatory for any domain sending 5,000+ messages per day to Gmail users. DMARC Report
Related: [Free DMARC Checker](/tools/dmarc-checker/) ·[How to Create an SPF Record](/tools/spf-record-generator/) ·[SPF Record Format](/blog/spf-format-checker-dos-and-donts-for-email-authentication/)
Share
[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fis-dmarcbis-a-game-changer-or-just-dmarc-upgrade%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Is%20DMARCbis%20a%20game-changer%20or%20just%20an%20upgrade%20to%20DMARC%3F&url=undefined%2Fblog%2Fis-dmarcbis-a-game-changer-or-just-dmarc-upgrade%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fis-dmarcbis-a-game-changer-or-just-dmarc-upgrade%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fis-dmarcbis-a-game-changer-or-just-dmarc-upgrade%2F&title=Is%20DMARCbis%20a%20game-changer%20or%20just%20an%20upgrade%20to%20DMARC%3F "Share on Reddit") [ ](mailto:?subject=Is%20DMARCbis%20a%20game-changer%20or%20just%20an%20upgrade%20to%20DMARC%3F&body=Check out this article: undefined%2Fblog%2Fis-dmarcbis-a-game-changer-or-just-dmarc-upgrade%2F "Share via Email")
## Try Our Free DMARC Checker
Validate your DMARC policy, check alignment settings, and verify reporting configuration.
[ Check DMARC Record → ](/tools/dmarc-checker/)
> The organizations that invest in email authentication early save themselves from expensive incidents later, says Vasile Diaconu, Operations Lead at DuoCircle. We see the pattern constantly: a domain gets spoofed, customers lose trust, and the remediation effort costs 10x what proactive DMARC setup would have cost.
DMARC ([RFC 7489](https://datatracker.ietf.org/doc/html/rfc7489)) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible `From` header. According to Google’s February 2024 bulk sender requirements, a DMARC policy of at least `p=none` is now mandatory for any domain sending 5,000+ messages per day to Gmail users. DMARC Report
Is DMARCbis a game-changer or just an upgrade to DMARC?
```
```
/
```
```
RSS Feed
```
Share
Link
Embed
```
/\*! This file is auto-generated \*/ ’ title=“Embed Code” class=“input-embed input-embed-29725” readonly/>
```
```
Back in 2012, when DMARC was first published, it emerged as a revolutionary solution to [email-based attacks](https://www.reinsurancene.ws/ransomware-costs-ease-but-email-based-attacks-dominate-coalition-reports/), which the [email infrastructure](https://www.voilanorbert.com/blog/email-infrastructure/) natively couldn’t block. However, [cyberattacks](https://www.news18.com/world/what-we-know-about-scattered-spider-the-group-behind-airline-cyberattacks-ws-l-9419238.html) have evolved since then; they have become more sophisticated and complex to detect.
So far, DMARC has been doing a good job of \*\*protecting domains against direct [spoofing attacks](https://www.msspalert.com/brief/novel-usps-spoofing-phishing-attack-relies-on-malicious-pdfs) by ensuring that only authorized senders can use a domain in the “From” field. But as the [email ecosystems](https://www.axigen.com/articles/email-ecosystem%5F128.html) became more complex and intertwined , the authentication protocol began to fall short on certain fronts.
For instance, when your emails don’t go directly to the receiving server, they pass through mailing lists, forwarders, or **security filters**, which modify the email slightly. Even if they make minute changes, such as adding a footer, altering the subject line, or modifying headers, \*\*DMARC checks can fail, and your legitimate [emails might end up in spam](https://cybernews.com/news/microsofts-breach-notification-emails-end-up-in-spam-folder/).
To fix this problem, a new and improved version of the protocol is introduced, and it’s called ‘**DMARCbis**.’ It’s not a replacement, but an upgrade that builds on the original DMARC framework to make it more reliable in today’s complex email landscape.
Let’s see how the new upgrade is any different from its predecessor, or if it’s just a cursory patch on an already existing one.
## What are the proposed updates in DMARCbis?
Although we have come a long way in [email security](https://dmarcreport.com/blog/why-email-security-matters-and-how-to-get-it-right/), there are still some gaps that we need to patch. This is where DMARCbis comes in. _It does not come with radical changes like changing the entire authentication method or a complete overhaul of the previous version; it is the small changes that are introduced to improve clarity, security, and interoperability of the protocol_.
As of 2025, DMARC is mandatory under multiple compliance frameworks. [CISA BOD 18-01](https://www.cisa.gov/news-events/directives/bod-18-01) requires p=reject for US federal domains. [PCI DSS v4.0](https://www.pcisecuritystandards.org/) mandates DMARC for organizations processing payment card data as of March 2025\. Google and Yahoo require DMARC for bulk senders (5,000+ messages/day) since February 2024, and [Microsoft began rejecting](https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dmarc-configure) non-compliant email in May 2025\. The UK [NCSC](https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing), Australia’s [ASD](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-email), and Canada’s [CCCS](https://www.cyber.gc.ca/en/guidance/implementation-guidance-email-domain-protection) all mandate DMARC for government domains. Cyber insurers increasingly require DMARC enforcement as an underwriting condition.
Here are some of the upgrades that you should know about:
## Rearranging and rewriting the specifications
One of the first things that the [Internet Engineering Task Force (IETF)](https://www.techtarget.com/whatis/definition/IETF-Internet-Engineering-Task-Force) is introducing with DMARCbis is the rewriting and reorganization of the entire specification. The primary reason for this is to make the protocol easier to understand and implement .
## How Do You Create new sections?
To define best practices for all-around protection, the IETF has added a new section called “**Conformance Requirements for Full DMARC Participation**.”
This section clearly explains what both senders and receivers need to do to ensure full participation in the system.
For instance, as a domain owner, you should make sure your emails pass both [SPF](https://autospf.com/blog/spf-guide-understanding-sender-policy-framework/) and [DKIM](https://dmarcreport.com/what-is-dkim/) checks, publish a [DMARC record](https://dmarcreport.com/dmarc-record/), and actually review the reports you get to spot any problems.
For a mail server like **Gmail or Outlook**, its primary role is to verify the DMARC records published by others, perform the necessary checks on incoming emails, and send daily reports back to the domain owner.
## Upgrades in DMARC tags
DMARCbis also added new tags to give \*\*domain owners \*\*more control over their domain’s security. IETF came up with multiple new tags so that you can [fine-tune](https://www.ibm.com/think/topics/fine-tuning) how your DMARC policy works and how much data you receive in reports.
For instance, the new ‘np’ tag lets you set a [DMARC policy](https://dmarcreport.com/blog/what-is-a-dmarc-policy-and-how-does-it-affect-sending-my-emails/) for subdomains that don’t even exist. This is a much-needed addition. Attackers often try to send emails from [fake subdomains](https://support.google.com/webmasters/thread/352806254/hacker-site-owner-for-fake-subdomains?hl=en-gb) that were never actually created, like login.yourdomain.com. The new ‘np’ tag ensures that these attempts don’t get through.
_Another new tag added to this list is ‘psd’ (public suffix domain), particularly meant for domains like .co.uk or .gov.in that are used by many different users or organizations_. It will be used to specify the root domain of the ‘**From**’ domain using other values.
There is also a ‘t’ tag in the new upgrade that lets you tell the receiving servers that you’re still testing your DMARC setup . It’s like when you move from pct=0 value to pct=100 value, but in a simpler way by replacing them with binary values - y and n.
## Additional upgrades
There are additional upgrades in DMARCbis that enable you to address real-world email challenges better.
- Instead of relying on the old [Public Suffix List](https://devcenter.heroku.com/articles/cookies-and-herokuapp-com), DMARCbis now uses a DNS tree walk algorithm to more easily and accurately support public suffix domains.
- It also warns against using a \*\*strict ‘p=reject’ policy when your emails go through mailing lists, as those can modify the email slightly and break authentication, which means your [legitimate emails](https://www.usatoday.com/story/tech/2021/08/23/gmail-spam-filter-email-inbox-google/8242847002/) might get blocked.
## Are you prepared for DMARCbis?
Clearly, DMARCbis is not like a **simple upgrade to DMARC**. It is a more thoughtful shift that aligns your authentication setup with how emails work today. To ensure a seamless transition, it’s essential to understand what remains the same and what you need to revisit.
_Your existing v=DMARC1 records will work just as well with DMARCbis, so you don’t really have to change them._ But it is still recommended to \*\*review your email setup \*\*so that you can make the most of the new features and improvements DMARCbis brings.
For example, when DMARCbis is finally published, check your existing record for **outdated tags like pct, rf, and ri**, and remove them. You will no longer need them in the new setup.
Once you have removed the older tags, you can add the new ones - np (non-existent policy), psd (Public Suffix Domains), and t (testing mode).
## When will DMARCbis be launched?
Now that you know what DMARCbis brings to the table, the next big question is, when can you start using it?
As of now, DMARCbis is in the “**IETF Last Call**” phase, which is the final stage before it officially launches. So, it is expected to be published sometime in 2025\. While there is still some time before you can officially start using DMARCbis, you can begin reviewing your existing [DMARC](https://dmarcreport.com/) setup, **cleaning outdated tags**, and preparing to adopt the new ones.
It’s also a good idea to seek expert guidance to ensure your updated setup aligns with the new specification and does not disrupt your email delivery. To know more, [reach out to us today!](https://dmarcreport.com/contact/)
## Sources
- [CISA Binding Operational Directive 18-01](https://www.cisa.gov/news-events/directives/bod-18-01)
- [Microsoft Outlook DMARC Enforcement May 2025](https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dmarc-configure) (2025)
- [PCI DSS v4.0 - DMARC Requirement](https://www.pcisecuritystandards.org/) (2025)
- [RFC 7489 - Domain-based Message Authentication, Reporting, and Conformance (DMARC)](https://datatracker.ietf.org/doc/html/rfc7489)
## Topics
[ dkim ](/tags/dkim/)[ DMARC ](/tags/dmarc/)[ dmarc record ](/tags/dmarc-record/)[ email security ](/tags/email-security/)[ SPF ](/tags/spf/)
[ Brad Slavin ](/authors/brad-slavin/)
General Manager
Founder and General Manager of DuoCircle. Product strategy and commercial lead for DMARC Report's 2,000+ customer base.
[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin)
## Take control of your DMARC reports
Turn raw XML into actionable dashboards. Start free - no credit card required.
[Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/)
## Related Articles
[ Foundational 7m 4 sectors that need email authentication the most and why Oct 15, 2024 ](/blog/4-sectors-that-need-email-authentication-the-most-and-why/)[ Foundational 4m 8 Misconceptions About DMARC and its Deployment for Businesses Dec 4, 2023 ](/blog/8-misconceptions-about-dmarc-and-its-deployment-for-businesses/)[ Foundational 8m 9 technologies to protect your emails from cyber actors Dec 10, 2024 ](/blog/9-technologies-to-protect-your-emails-from-cyber-actors/)[ Foundational 14m Add TXT Record on Namecheap: A Complete DNS Guide Mar 5, 2025 ](/blog/add-txt-record-on-namecheap-a-complete-dns-guide/)
```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]}
```
```json
{"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```
```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Is DMARCbis a game-changer or just an upgrade to DMARC?","description":"Is DMARCbis a game-changer or just an upgrade to DMARC? from DMARC Report explains practical steps for email authentication, domain protection.","url":"https://dmarcreport.com/blog/is-dmarcbis-a-game-changer-or-just-dmarc-upgrade/","datePublished":"2025-07-24T09:50:16.000Z","dateModified":"2026-04-16T15:53:43.000Z","dateCreated":"2025-07-24T09:50:16.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://dmarcreport.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/is-dmarcbis-a-game-changer-or-just-dmarc-upgrade/"},"articleSection":"foundational","keywords":"dkim, DMARC, dmarc record, email security, SPF","wordCount":1304,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg","caption":"Is DMARCbis a game-changer or just an upgrade to DMARC?","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}]
```
```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://dmarcreport.com/foundational/"},{"@type":"ListItem","position":4,"name":"Is DMARCbis a game-changer or just an upgrade to DMARC?","item":"https://dmarcreport.com/blog/is-dmarcbis-a-game-changer-or-just-dmarc-upgrade/"}]}
```