DMARCbis:
The next generation of email authentication
(DMARC 2.0)

DMARCbis (DMARC 2.0) brings stronger reporting, clearer policies, and smarter boundary detection with the DNS Tree Walk.

Sendmarc is already preparing for these changes, so you can adopt the updated standard seamlessly.

Book a demo

What is DMARCbis?

DMARCbis is the most significant update to Domain-based Message Authentication, Reporting, and Conformance (DMARC) since the protocol was first introduced. The “bis” suffix is part of the Internet Engineering Task Force’s (IETF) naming convention and signals a revision of an existing standard.

Unlike the original DMARC specification (RFC 7489), which was published as an Informational document in 2015, DMARCbis is set to be released as a Proposed Standard. This advancement formalizes DMARC’s place as a proven and widely adopted email authentication protocol, while reinforcing its global role in safeguarding email and highlighting the growing recognition of its importance across industries.

Often referred to as “DMARC 2.0,” this update builds on more than a decade of global deployment and operational lessons.

It enhances the original RFC by:

  • Providing a clearer specification structure with more examples
  • Improving domain boundary determination with DNS-native mechanisms
  • Simplifying tags by removing legacies
  • Increasing reporting requirements to strengthen visibility and security

Importantly, DMARCbis maintains backward compatibility. It continues to use v=DMARC1 as the version, meaning businesses with active records don’t need to make immediate changes. Instead, they can adopt the new features at their own pace to strengthen protection against domain spoofing and unauthorized email use.

While DMARCbis doesn’t require businesses to make immediate changes, leveraging a dedicated platform ensures your records, reporting, and policies stay compliant as standards evolve.

What is changing in DMARCbis: Key updates

DMARCbis introduces several important updates designed to make email authentication more reliable, easier to implement, and better suited for today’s threat environment. Below are the most significant changes security professionals and domain owners should be aware of.

Improved specification structure

The updated document is now split into three separate drafts:

  • Core protocol: Defines DMARC
  • Aggregate reporting: Outlines how daily reports are generated and formatted
  • Failure reporting: Details how failure reports provide information on authentication failures

This separation makes the protocol easier to understand, implement, and maintain over time.

Conformance requirements for full participation

DMARCbis introduces clearer rules for what businesses and receivers must do to fully support the standard. By setting clear expectations, the update improves interoperability and strengthens global adoption.

DNS Tree Walk algorithm

One of the most significant updates DMARC 2.0 includes is the replacement of the Public Suffix List (PSL) with a DNS Tree Walk algorithm. The algorithm queries successive levels of the domain hierarchy, moving up one label at a time, until it finds a record with psd=y (public suffix domain) or psd=n (organizational boundary).

Important technical details:

  • The walk is limited to a maximum of eight levels to prevent excessive DNS queries
  • If a domain has eight or more labels, it removes the leftmost labels until only seven remain before starting the walk
  • The walk stops when it finds a valid DMARC record with an explicit psd value

This DNS-native approach:

  • Eliminates reliance on third-party lists
  • Enhances the likelihood of uniform updates
  • Improves the accuracy and reliability of boundary detection

Transition consideration: During the transition period, some implementations may still use the PSL while others use Tree Walk, potentially leading to different domain determinations. Companies should consider using strict alignment and publishing explicit DMARC records for all domains to avoid interoperability issues.

Managing this manually can be complex, but a purpose-built platform like Sendmarc can simplify the process.

New tags (psd, np, t)

DMARCbis introduces new policy tags to give businesses finer control. These are:

  • psd: Explicitly marks public suffix domains
    • y indicates the domain is a public suffix domain
    • n indicates the domain is the organizational domain
    • u is the default, letting Tree Walk determine the organizational domain
  • np: Defines policies for non-existent subdomains, preventing spoofing attacks using fake names like ceo.example.com
  • t: Replaces the legacy pct tag with a clearer “testing mode” signal
    • y indicates testing mode (policy shouldn’t be enforced)
    • n is the default (apply the published policy)

Removed tags (pct, rf, ri)

A few legacy tags have been deprecated because they caused inconsistency:

  • pct (percentage)
  • rf (report format)
  • ri (report interval)

The new t tag provides a simpler testing signal, while reporting formats and intervals are now standardized.

Enhanced reporting

Aggregate and failure reporting are now defined in dedicated drafts, with aggregate reporting adopting stricter requirements to improve consistency and security. Updates include:

  • Mandatory external URI validation for reports sent outside the domain
  • Standardized formatting and filenames for attachments
  • Stricter enforcement of XML and gzip

Important guidance on mailing lists

DMARCbis introduces important guidance regarding mailing lists and email forwarding. The specification now discourages using a p=reject policy when there’s a possibility that mailing lists are involved in your company’s email flows. This is because mailing lists often break both SPF and DKIM alignment, potentially causing legitimate emails to be rejected and automatically unsubscribing users from mailing lists.

Businesses should carefully consider their email ecosystem before implementing strict rejection policies. That said, Sendmarc strongly encourages domain owners to work toward a p=reject policy wherever possible, because it’s the only way to guarantee full protection against unauthorized use of your domain.

Book a demo

DMARCbis timeline and IETF/RFC status

DMARCbis has a complex publication status that domain owners should understand. The main DMARCbis document (draft-ietf-dmarc-dmarcbis-41) and aggregate reporting document (draft-ietf-dmarc-aggregate-reporting-32) were approved by the Internet Engineering Steering Group (IESG) in 2025.

But the previous DMARC Working Group (WG) dissolved, leaving behind an incomplete failure reporting document (draft-ietf-dmarc-failure-reporting-13) that creates a reference issue.

Current status: A new DMARC Working Group has been chartered specifically to resolve the failure reporting document issue. This working group must either:

  • Complete the failure reporting specification and submit it to the IESG within six months of the WG’s formation

or

  • Remove failure reporting references from the base DMARCbis document (and optionally the aggregate reporting document) entirely

The base document was last updated on April 4, 2025 (draft version 41). While industry experts initially expected publication sometime in 2025, the current complications with the document cluster mean the timeline is uncertain until the failure reporting issue is resolved.

Secure your domain for the future

DMARCbis represents the next stage in email authentication, enhancing clarity, security, and operational flexibility. It builds on more than a decade of experience with DMARC to introduce practical improvements that make policies easier to manage and enhance effectiveness against modern phishing and spoofing threats.

Key benefits include:

  • More accurate organizational domain detection through the DNS Tree Walk algorithm
  • Simplified tag management with clearer testing signals
  • Improved aggregate reporting for better visibility
  • Stronger safeguards against spoofing on non-existent subdomains
  • Better support for complex domain structures and public suffix domains
  • Enhanced interoperability through stricter conformance requirements

At Sendmarc, we plan to align our platform with DMARCbis as soon as the standard is finalized, ensuring customers can seamlessly adopt the new features. This means you’ll be able to take advantage of the protocol’s enhancements without additional complexity.

Book a demo with Sendmarc to see how we can help you prepare for “DMARC 2.0” and secure your email environment for the future.

Book a demo

DMARCbis FAQs

What is DMARCbis?

DMARCbis is the updated version of Domain-based Message Authentication, Reporting, and Conformance (DMARC). Also called “DMARC 2.0,” it introduces technical improvements such as the DNS Tree Walk algorithm, new policy tags, and enhanced reporting while maintaining backward compatibility with existing DMARC records.

No, you don’t need to change your current DMARC record for DMARCbis. The update continues to use the same version identifier, v=DMARC1. Your existing records remain valid, but you can adopt the new features over time to strengthen email authentication and security.

The DNS Tree Walk improves authentication in DMARCbis by replacing the reliance on the Public Suffix List (PSL). Instead, it queries the DNS directly, moving through domain levels until it identifies the correct organizational boundary.