Is DMARCbis a game-changer or just an upgrade to DMARC?

The organizations that invest in email authentication early save themselves from expensive incidents later, says Vasile Diaconu, Operations Lead at DuoCircle. We see the pattern constantly: a domain gets spoofed, customers lose trust, and the remediation effort costs 10x what proactive DMARC setup would have cost.

DMARC (RFC 7489) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible From header. According to Google’s February 2024 bulk sender requirements, a DMARC policy of at least p=none is now mandatory for any domain sending 5,000+ messages per day to Gmail users. DMARC Report

Is DMARCbis a game-changer or just an upgrade to DMARC?

					<button title="Play" aria-label="Play Episode" aria-pressed="false" class="play-btn">
						

Play Episode

					</button>
					<button title="Pause" aria-label="Pause Episode" aria-pressed="false" class="pause-btn hide">
						

Pause Episode

					</button>
					


				

				

					<audio preload="none" class="clip clip-29725">
						<source src="/images/wp/2025/07/what-is-dmarc-6221.jpg">
					</audio>
					

						

					

					

						

							<button class="player-btn player-btn__volume" title="Mute/Unmute">
								

Mute/Unmute Episode

							</button>
							<button data-skip="-10" class="player-btn player-btn__rwd" title="Rewind 10 seconds">
								

Rewind 10 Seconds

							</button>
							<button data-speed="1" class="player-btn player-btn__speed" title="Playback Speed" aria-label="Playback Speed">1x</button>
							<button data-skip="30" class="player-btn player-btn__fwd" title="Fast Forward 30 seconds">
								

Fast Forward 30 seconds

							</button>
						

						

							<time class="ssp-timer">00:00</time>
							

/

							<!-- We need actual duration here from the server -->
							<time class="ssp-duration" datetime="PT0H0M0S"></time>
						

					

				

			

								<nav class="player-panels-nav">
												<button class="subscribe-btn" id="subscribe-btn-29725" title="Subscribe">Subscribe</button>
																		<button class="share-btn" id="share-btn-29725" title="Share">Share</button>
										</nav>
						

	



		

						

				

					

					

				

				

					

																																																																								

					

						

RSS Feed

							<input value="https://dmarcreport.com/feed/podcast/dmarc-report" class="input-rss input-rss-29725" title="RSS Feed URL" readonly />
						

						<button class="copy-rss copy-rss-29725" title="Copy RSS Feed URL" aria-label="Copy RSS Feed URL"></button>
					

				

			

									

				

					

					

				

				

					

						Share						

					

						<a href="https://www.facebook.com/sharer/sharer.php?u=https://dmarcreport.com/blog/podcast/is-dmarcbis-a-game-changer-or-just-an-upgrade-to-dmarc/&t=Is DMARCbis a game-changer or just an upgrade to DMARC?" target="blank" rel="noopener noreferrer" class="share-icon facebook" title="Share on Facebook">
							

						</a>
						<a href="https://twitter.com/intent/tweet?text=https://dmarcreport.com/blog/podcast/is-dmarcbis-a-game-changer-or-just-an-upgrade-to-dmarc/&url=Is DMARCbis a game-changer or just an upgrade to DMARC?" target="blank" rel="noopener noreferrer" class="share-icon twitter" title="Share on Twitter">
							

						</a>
						<a href="/images/wp/2025/07/what-is-dmarc-6221.jpg" target="blank" rel="noopener noreferrer" class="share-icon download" title="Download" download>
							

						</a>
					

				

				

					

						Link						

					

						<input value="https://dmarcreport.com/blog/podcast/is-dmarcbis-a-game-changer-or-just-an-upgrade-to-dmarc/" class="input-link input-link-29725" title="Episode URL" readonly />
					

					<button class="copy-link copy-link-29725" title="Copy Episode URL" aria-label="Copy Episode URL" readonly=""></button>
				

				

					

						Embed						

					

						<input type="text" value='<blockquote class="wp-embedded-content" data-secret="4fFf0tMY9k"><a href="https://dmarcreport.com/blog/podcast/is-dmarcbis-a-game-changer-or-just-an-upgrade-to-dmarc/">Is DMARCbis a game-changer or just an upgrade to DMARC?</a></blockquote><iframe sandbox="allow-scripts" security="restricted" src="https://dmarcreport.com/blog/podcast/is-dmarcbis-a-game-changer-or-just-an-upgrade-to-dmarc/embed/#?secret=4fFf0tMY9k" width="500" height="350" title=""Is DMARCbis a game-changer or just an upgrade to DMARC?" — DMARC Report" data-secret="4fFf0tMY9k" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" class="wp-embedded-content"></iframe><script>

/*! This file is auto-generated / !function(d,l){“use strict”;l.querySelector&&d.addEventListener&&“undefined”!=typeof URL&&(d.wp=d.wp||{},d.wp.receiveEmbedMessage||(d.wp.receiveEmbedMessage=function(e){var t=e.data;if((t||t.secret||t.message||t.value)&&!/[^a-zA-Z0-9]/.test(t.secret)){for(var s,r,n,a=l.querySelectorAll(‘iframe[data-secret=”‘+t.secret+’”]’),o=l.querySelectorAll(‘blockquote[data-secret=”‘+t.secret+’”]’),c=new RegExp(“^https?:$”,“i”),i=0;i<o.length;i++)o[i].style.display=“none”;for(i=0;i<a.length;i++)s=a[i],e.source===s.contentWindow&&(s.removeAttribute(“style”),“height”===t.message?(1e3<(r=parseInt(t.value,10))?r=1e3:~~r<200&&(r=200),s.height=r):“link”===t.message&&(r=new URL(s.getAttribute(“src”)),n=new URL(t.value),c.test(n.protocol))&&n.host===r.host&&l.activeElement===s&&(d.top.location.href=t.value))}},d.addEventListener(“message”,d.wp.receiveEmbedMessage,!1),l.addEventListener(“DOMContentLoaded”,function(){for(var e,t,s=l.querySelectorAll(“iframe.wp-embedded-content”),r=0;r<s.length;r++)(t=(e=s[r]).getAttribute(“data-secret”))||(t=Math.random().toString(36).substring(2,12),e.src+=”#?secret=“+t,e.setAttribute(“data-secret”,t)),e.contentWindow.postMessage({message:“ready”,secret:t},"")},!1)))}(window,document); //# sourceURL=https://dmarcreport.com/wp-includes/js/wp-embed.min.js ’ title=“Embed Code” class=“input-embed input-embed-29725” readonly/>

					<button class="copy-embed copy-embed-29725" title="Copy Embed Code" aria-label="Copy Embed Code"></button>
				

			

				

Back in 2012, when DMARC was first published, it emerged as a revolutionary solution to email-based attacks, which the email infrastructure natively couldn’t block. However, cyberattacks have evolved since then; they have become more sophisticated and complex to detect.

So far, DMARC has been doing a good job of **protecting domains against direct spoofing attacks by ensuring that only authorized senders can use a domain in the “From” field. But as the email ecosystems became more complex and intertwined , the authentication protocol began to fall short on certain fronts.

For instance, when your emails don’t go directly to the receiving server, they pass through mailing lists, forwarders, or security filters, which modify the email slightly. Even if they make minute changes, such as adding a footer, altering the subject line, or modifying headers, **DMARC checks can fail, and your legitimate emails might end up in spam.

To fix this problem, a new and improved version of the protocol is introduced, and it’s called ‘DMARCbis.’ It’s not a replacement, but an upgrade that builds on the original DMARC framework to make it more reliable in today’s complex email landscape.

Let’s see how the new upgrade is any different from its predecessor, or if it’s just a cursory patch on an already existing one.

What are the proposed updates in DMARCbis?

Although we have come a long way in email security, there are still some gaps that we need to patch. This is where DMARCbis comes in. It does not come with radical changes like changing the entire authentication method or a complete overhaul of the previous version; it is the small changes that are introduced to improve clarity, security, and interoperability of the protocol.

As of 2025, DMARC is mandatory under multiple compliance frameworks. CISA BOD 18-01 requires p=reject for US federal domains. PCI DSS v4.0 mandates DMARC for organizations processing payment card data as of March 2025. Google and Yahoo require DMARC for bulk senders (5,000+ messages/day) since February 2024, and Microsoft began rejecting non-compliant email in May 2025. The UK NCSC, Australia’s ASD, and Canada’s CCCS all mandate DMARC for government domains. Cyber insurers increasingly require DMARC enforcement as an underwriting condition.

Here are some of the upgrades that you should know about:

Rearranging and rewriting the specifications

One of the first things that the Internet Engineering Task Force (IETF) is introducing with DMARCbis is the rewriting and reorganization of the entire specification. The primary reason for this is to make the protocol easier to understand and implement .

How Do You Create new sections?

To define best practices for all-around protection, the IETF has added a new section called “Conformance Requirements for Full DMARC Participation.”

This section clearly explains what both senders and receivers need to do to ensure full participation in the system.

For instance, as a domain owner, you should make sure your emails pass both SPF and DKIM checks, publish a DMARC record, and actually review the reports you get to spot any problems.

For a mail server like Gmail or Outlook, its primary role is to verify the DMARC records published by others, perform the necessary checks on incoming emails, and send daily reports back to the domain owner.

Upgrades in DMARC tags

DMARCbis also added new tags to give **domain owners **more control over their domain’s security. IETF came up with multiple new tags so that you can fine-tune how your DMARC policy works and how much data you receive in reports.

For instance, the new ‘np’ tag lets you set a DMARC policy for subdomains that don’t even exist. This is a much-needed addition. Attackers often try to send emails from fake subdomains that were never actually created, like login.yourdomain.com. The new ‘np’ tag ensures that these attempts don’t get through.

Another new tag added to this list is ‘psd’ (public suffix domain), particularly meant for domains like .co.uk or .gov.in that are used by many different users or organizations. It will be used to specify the root domain of the ‘From’ domain using other values.

There is also a ‘t’ tag in the new upgrade that lets you tell the receiving servers that you’re still testing your DMARC setup . It’s like when you move from pct=0 value to pct=100 value, but in a simpler way by replacing them with binary values— y and n.

Additional upgrades

There are additional upgrades in DMARCbis that enable you to address real-world email challenges better.

• Instead of relying on the old Public Suffix List, DMARCbis now uses a DNS tree walk algorithm to more easily and accurately support public suffix domains.

• It also warns against using a **strict ‘p=reject’ policy when your emails go through mailing lists, as those can modify the email slightly and break authentication, which means your legitimate emails might get blocked.

Are you prepared for DMARCbis?

Clearly, DMARCbis is not like a simple upgrade to DMARC. It is a more thoughtful shift that aligns your authentication setup with how emails work today. To ensure a seamless transition, it’s essential to understand what remains the same and what you need to revisit.

Your existing v=DMARC1 records will work just as well with DMARCbis, so you don’t really have to change them. But it is still recommended to **review your email setup **so that you can make the most of the new features and improvements DMARCbis brings.

For example, when DMARCbis is finally published, check your existing record for outdated tags like pct, rf, and ri, and remove them. You will no longer need them in the new setup.

Once you have removed the older tags, you can add the new ones— np (non-existent policy), psd (Public Suffix Domains), and t (testing mode).

When will DMARCbis be launched?

Now that you know what DMARCbis brings to the table, the next big question is, when can you start using it?

As of now, DMARCbis is in the “IETF Last Call” phase, which is the final stage before it officially launches. So, it is expected to be published sometime in 2025. While there is still some time before you can officially start using DMARCbis, you can begin reviewing your existing DMARC setup, cleaning outdated tags, and preparing to adopt the new ones.

It’s also a good idea to seek expert guidance to ensure your updated setup aligns with the new specification and does not disrupt your email delivery. To know more, reach out to us today!

Sources

• CISA Binding Operational Directive 18-01
• Microsoft Outlook DMARC Enforcement May 2025 (2025)
• PCI DSS v4.0 — DMARC Requirement (2025)
• RFC 7489 — Domain-based Message Authentication, Reporting, and Conformance (DMARC)