DMARCbis vs. DMARC: What’s Changing?
The DMARC specification was first published in 2012, and the Internet Engineering Task Force (IETF) is proposing changes to the DNS-based control in DMARCbis, the working title of the updated version. The IETF DMARC working group has been discussing updates to the DMARC specification so it’s more flexible and easier to understand and deploy.
Proposed DMARCbis Updates
While the updates aren’t radical and won’t require domain owners to update their DMARC records to maintain functionality, the changes are an attempt to improve clarity, security and interoperability of the control.
Categorized as a proposed standard by the IETF DMARC working group, the following is a rundown on the suggested changes:
- The specification is being rearranged and rewritten with improved examples to make it easier to understand and follow.
- To help define best practices, the “Conformance Requirements for Full DMARC Participation” section has been added to describe the DMARC mechanism and summarize “the requirements for full participation in DMARC, either by Domain Owners or by Mail Receivers.”
DMARC tags being discontinued:
- pct tags are used to indicate that the DMARC policy applies to only a particular percentage of inbound email. The IETF writes that “operational experience showed that the pct tag was usually not accurately applied, unless the value specified was either 0 or 100 (the default), and the inaccuracies with other values varied widely from one implementation to another.”
Though not all stakeholders agree with this move, the pct tag is being replaced with the t (testing mode) tag to create an all (100%) or nothing (0%) scenario. Some people appreciate the pct tag for its utility in the measured advancement of p=quarantine and p=reject enforcement policies; others recognized that the pct tag wasn’t consistently calculated and that a more accurate tag would provide operational clarity. - rf (aggregate report format) and ri (interval between aggregate reports) tags are being removed to simplify and streamline the DMARC deployment process. It’s worthy to note here that email receivers will continue to generate and deliver aggregate reports to email address(es) specified in the RUA tag.
DMARC tags being added:
np (non-existent subdomain policy) – with the same policy values as p and sp tags, the proposed np tag allows domain owners to apply a policy to a subdomain that doesn’t exist. Why would a domain owner set a policy for a non-existent subdomain, you might ask. To subvert DMARC controls, cybercriminals try to use a non-existing subdomain of an existing domain to send shady emails. The np tag with an enforcement value of quarantine or reject can provide the protection needed to stop fraudulent emails sent from a fake subdomain.
psd (public suffix domain) – used to indicate that the domain is a public suffix domain (PSD) operated by a registry. The tag will be used to define the root domain of the From domain and have the following values:
- y – PSOs (public suffix operator) include this tag with a value of y to indicate that the domain is a PSD. If a record containing this tag with a value of y is found during policy discovery, this information will be used to determine the Organizational Domain and DMARC Policy Domain applicable to the message in question.
- n – indicates that the DMARC policy record is published for a domain that is not a PSD, but it is the organizational domain for itself and its subdomains.
- u – the default value indicating that the DMARC policy record is published for a domain that is not a PSD, and may or may not be an organizational domain for itself and its subdomains. In this case, the DNS Tree Walk process determines the organizational domain. DNS tree walk is the process of associating a domain name with an IP address by navigating the Domain Name System.
t (testing mode) – Replaces the pct tag and has these binary values:
- y – indicates that the published DMARC policy in the p, sp, and/or np tags should not be applied and acts like the pct=0 value.
- n – the default value that applies the published DMARC policy and equivalent to the pct=100 value.
Additional Technical Updates
- The Public Suffix List mechanism is replaced with the DNS tree walk algorithm to better support Public Suffix Domains (PSD).
- Because email forwarding and mailing lists can interfere with email authentication, DMARCbis recommends against a p=reject policy with mailing lists.
As with the pct tag, not all subject matter experts agree with the IETF’s assessment, including Ash Morin, our Director of Professional Services: “Through careful review of DMARC data to identify mailing lists users engage with, it’s absolutely possible to move forward to p=reject safely. Modern list software like Mailman and LSoft LISTSERV already include DMARC mitigations, and I caution treating ‘not publishing p=reject’ as a best practice—it isn’t.”
How to prepare for DMARCbis
Existing v=DMARC1 records remain valid and will continue to be the standard when the changes are published. That said, when DMARCbis is published, domain owners should review and update their DMARC records to take advantage of the changes.
When the DMARCbis updates are published, you can examine your DMARC records to ensure they are in line with the amended DMARC specification:
- Remove obsolete pct (percentage), rf (report format) and ri (report interval) tags.
- Add the new np (non-existent policy), psd (Public Suffix Domains), and t (testing mode) tags described above.
Are current DMARC records still valid?
Yes! Your existing DMARC records will not be obsolete and will continue to function when DMARCbis is published. But incorporating the DMARCbis updates can align your DMARC records with the latest version of the industry standard.
When will DMARCbis be published?
As of the writing of this article, DMARCbis is currently in the “IETF Last Call” phase and is expected to be published in 2025.
dmarcian is here to help
With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian is here to help assess an organization’s domain catalog in light of the upcoming DMARC updates. We can help you implement and manage DMARC for the long haul.
Want to continue the conversation? Head over to the dmarcian Forum.
