DMARCbis: The next evolutionary step in email authentication
Since the introduction of DMARC (Domain-based Message Authentication, Reporting and Conformance) in 2015, the protocol has established itself as an integral part of email security. However, with the increasing complexity of email infrastructures and ever new requirements for interoperability and clarity, it was time for an update. This update is called DMARCbis and brings with it some significant changes.
What is DMARCbis?
DMARCbis is a revised version of the original DMARC standard and is currently listed as a draft at the IETF (Internet Engineering Taskforce). The new version aims to improve and modernize the original DMARC standard from 2015 (RFC 7489).
Why DMARCbis?
DMARCbis is not intended as a radical reinvention, but as an evolutionary development. The aim is to make the specification clearer, more robust and easier to implement. While existing DMARC entries remain valid, organizations benefit from adapting to the new standards through
What’s new in DMARCbis?
1. DNS Treewalk instead of Public Suffix List (PSL)
The most significant change concerns the definition of the so-called Organizational Domain (OrgDomain). This is an essential component of DMARC. On the one hand, it serves as a fallback if no DMARC record can be found under the domain specified in the header From. On the other hand, the role of the OrgDomain as a reference domain is more clearly defined, especially for comparison when ‘relaxed’ or ‘strict’ mode is enabled.
Previously, the Public Suffix List (PSL) – an externally maintained list of domain extensions such as .com, .de, .co.uk or .gov – was used to determine the OrgDomain. When using subdomains such as news.mail.example.com, this procedure requires that either a DMARC entry is stored for each individual subdomain that is used for sending emails, or that the DMARC entry of the OrgDomain is valid for all subdomains, regardless of the level. This procedure leaves little room for flexibility.
DMARCbis replaces this with a DNS-based treewalk procedure:
The treewalk starts with the full domain name specified in the header-from (e.g. _dmarc.news.mail.example.com) and works its way up the hierarchy step by step until a valid DMARC entry is found. However, there is a maximum hierarchy depth of 8 levels. So if the domain specified in the Header-From has more than 8 levels – such as a.b.c.d.e.f.g.h.i.j.mail.example.com – the treewalk starts searching at _dmarc.g.h.i.j.mail.example.com if no DMARC entry was found under _dmarc.a.b.c.d.e.f.g.h.i.j.mail.example.com.
New tags such as psd=y or psd=n help to explicitly define domain boundaries. This procedure is DNS-native, more robust and reduces the external dependency on the PSL.
A valid DMARC record with psd=n indicates that this is the organization domain and the selection process is complete. A valid DMARC record with psd=y, which is not for the domain where the treewalk begins, indicates that the organization domain is the domain one level below it in the DNS hierarchy and the selection process is complete.
2. Simplification of the tags
DMARCbis does away with some legacy issues.
Here are some examples:
| Obsolete tags | New/alternative tags | Purpose |
|---|---|---|
| pct | t (test mode) | Percentage application omitted in favor of clear test signals |
| rf, ri | n/a | Simplification of reporting mechanisms |
| – | np | Policy for non-existent subdomains |
| – | psd | Marking of public suffix domains |
| Obsolete tags | New/alternative tags | Purpose |
|---|---|---|
| pct | t ( test mode) | Percentage application omitted in favor of clear test signals |
| rf, ri | n/a | Simplification of reporting mechanisms |
| – | np | Policy for non-existent subdomains |
| – | psd | Marking of public suffix domains |
3. A clearer specification
The entire specification has been restructured, with better examples and a new section on “Full DMARC Participation”, which describes what full participation in DMARC means – for both domain owners and receiving mail servers.
What does this mean for companies?
Conclusion: evolution instead of revolution
DMARCbis does not bring any disruptive changes, but important improvements in terms of clarity, security and future viability. The new treewalk procedure is a milestone in DNS-based authentication and makes DMARC more robust against abuse through subdomain spoofing.
Further articles on sender reputation and email security
Part 1: Authenticated Received Chain (ARC)
Part 2: Sender Policy Framework (SPF)
Part 3: DomainKeys Identified Mail (DKIM)
Part 4: Domain-based Message Authentication, Reporting and Conformance (DMARC)
Part 5: DNS-based Authentication of Named Entities (DANE)
Part 6: DMARCbis
Not yet using NoSpamProxy?
With NoSpamProxy you can reliably protect your company from spoofing attacks and benefit from many other security functions. Request your free trial version now!
