DMARCER
Sign in Get started
Blog

DMARCbis: what's changing in the DMARC standard

DMARC is getting its first major revision since 2015. The changes are mostly under the hood - but a couple are worth understanding now.

The original DMARC specification (RFC 7489) has been in use since 2015. Its replacement – informally called DMARCbis – has been working its way through the IETF and tidies up years of real-world lessons. If you already run valid DMARC, nothing breaks. But a few changes are worth knowing about.

Goodbye Public Suffix List, hello the “tree walk”

To apply a policy, DMARC has to work out your organizational domain – for mail.shop.example.co.uk, is the org domain example.co.uk? The old spec answered this using the Public Suffix List, a single crowd-maintained file. DMARCbis replaces it with a DNS tree walk: a series of DNS lookups up the name hierarchy to find the closest published DMARC record. It’s more accurate and no longer depends on one external list.

The pct tag is going away

The pct tag – “apply this policy to X% of mail” – was used to ramp enforcement gradually, but it behaved unpredictably across receivers. DMARCbis removes pct and introduces a simple t (testing) tag instead: t=y says “I’m testing this policy, don’t fully act on it yet.” Cleaner, and easier to reason about.

A new psd tag, and clearer subdomain handling

DMARCbis folds in the work on public suffix domains (the psd tag), which lets registry-style operators protect a whole suffix, and clarifies the np policy for non-existent subdomains – closing a gap attackers have used to spoof subdomains that were never meant to send mail at all.

What you should actually do

For most organisations: nothing urgent. A correctly configured DMARC record keeps working. The practical takeaways are to make sure your DKIM is aligned (it’s the most robust signal under the new rules), to stop relying on pct for ramping – use a proper enforcement journey instead – and to be aware that the tree walk can change how your org domain is determined if you have a deep subdomain structure.

DMARCER tracks the standard as it’s finalised, so the checks behind your score stay current without you having to follow the IETF drafts yourself.

Is your DMARC set up for what’s next?

Run a free check to see your DMARC, SPF and DKIM posture – and where to tighten it.

Check your domain
Free domain check

Check your domain security

See how your domain's security compares to your competitors.