DMARCbis adoption: what IT leaders, CISOs, and domain owners need to know

by | Aug 22, 2025 | DMARC

DMARCbis adoption

DMARCbis adoption: what IT leaders, CISOs, and domain owners need to know

by DuoCircle

 

The stronger and better DMARC2.0 is almost here. This upgraded, tighter version aims to combat the growing menace of email-based phishing and spoofing attacks, especially the ones powered by artificial intelligence

DMARC has been around since 2012, and its adoption recently took a significant spike, primarily because of how Gmail, Yahoo, GDPR, PCI DSS, and other regulatory bodies have mandated the deployment of DMARC for bulk email senders. Now DMARCbis is here to change how email authentication works at scale. For domain owners, IT leaders, and CISOs, this update is directly linked to the difference between their brands looking safe or ending up getting exploited in email-based phishing scams. 

This blog explores how this shift is going to impact the overall email security and how IT leaders, CISOs, and domain owners should prepare for it.

 

What is DMARCbis, and how is it different from DMARC?

In simpler words, DMARCbis is the newer, upgraded version of DMARC that already does what DMARC has been doing for years, but adds more to it. It essentially fixes the limitations of the older version. It is still in development process and is soon expected to hit the ground. 

 

email security

 

Here are the newer features of DMARCbis

 

Clearer rules and language

The old DMARC confused a lot of people because the rules were vague and the wording was tough to follow. DMARCbis fixes this by making the rules simple and straight to the point. Now you know exactly what’s expected without scratching your head.

 

Clear participation rules

DMARCbis comes with a better clarity on what are the responsibilities of senders and receivers. Domain owners need to ensure their emails pass SPF and DKIM, have a correctly configured DMARC record, and regularly evaluate aggregate and forensic reports. While the receiving mail servers like Gmail and Yahoo have to ensure they read the records, run the authentication checks, and send daily reports back. 

 

emails pass

 

New and removed tags

A few new tags have also been introduced in the newer version of DMARC. The new DMARCbis ‘psd’ tag ensures the policies are applied properly to public suffix domains like .gov or .edu. The t tag shows you’re just testing, so your policy isn’t forced right away. The ‘np’ tag blocks spoofing from fake subdomains that don’t exist. At the same time, some older tags like ‘pct,’ ‘rf,’ and ‘ri’ are dropped to keep things simple.

Despite the changes, all DMARC records will still begin with v=DMARC1.

 

Better ways to find the main domain

Instead of relying on the old Public Suffix List, DMARCbis now uses something called DNS Tree Walk to figure out the main domain. This makes life easier for complex setups like gov.uk or other big institutions where rules can get messy.

 

Stricter and smarter reports

Reports are also sharper now. Aggregate reports follow stricter XML formatting, with new tags that reflect how email really works today. This means you get more useful info about your emails, and spotting issues becomes much easier.

 

spotting issues

 

How Can CISOs, IT Leaders, and Domain Owners Prepare for DMARCbis?

While there is still time for DMARCbis to get fully developed, gain the required approvals and licenses, and be launched, CISOs, IT leaders, and domain owners can start prepping for it now. 

 

Start by auditing and cleaning up your current DMARC record

Start by checking your DMARC record properly, line by line. Throw out the tags that won’t work in DMARCbis like pct, rf, and ri. If you keep them, your record can break. Also make sure your main domain (the base one) has a DMARC policy, at least p=none. Just having policies on subdomains is not enough.

Benefit: When DMARCbis will be out, your DMARC record won’t fail, and thus your domain won’t look like it has zero protection.

 

DMARC Record Cleanup Essentials

Map subdomains against DNS Tree Walk

DMARCbis replaces the old ‘Public Suffix List’ with DNS Tree Walk. This means the system will climb up the DNS hierarchy until it finds a DMARC record. If you’re running multiple subdomains (mail.brand.com, alerts.brand.com, etc.), test how the Tree Walk resolves for each one.

Benefit: You won’t get caught with gaps where subdomains bypass policies. This is critical for large organizations and government-like domains (e.g., gov.uk).

 

Deploy and test the ‘psd’ tag

If your domain is on public suffix (like .gov or .edu or .org) or if your organization uses deep custom hierarchies, you must configure the new ‘psd’ tag. This will eventually feed receivers on where the policy starts and stops, ultimately preventing email-based phishing and spoofing attempts at the suffix level. 

Benefit: This will help you block threat actors from slipping phishing campaigns under your suffix domain structure.]

 

email-based phishing

 

Use the ‘t’ tag for safer rollouts

If you’re not ready to push strict enforcement yet, just use the ‘t’ tag. It tells Gmail, Yahoo, and others that you’re still testing things out, so they won’t block emails right away. But you still need to keep an eye on your reports while doing this.

Benefit: You can spot mistakes before they mess up your email flow, and providers will see that you’re actually working on moving to DMARCbis.

 

Fine-tune your reporting infrastructure

With DMARCbis, the aggregate reports are going to be a lot stricter in XML. So first thing, check if your current tools can even read the new tags. If you’re using some homegrown setup or a third-party tool, make sure it won’t break. If it does, better to upgrade now. And if you get tons of reports every day, set up a place to store them and some simple way to actually look at them instead of letting them pile up.

Benefit: When providers move to the new format, you’ll still get all your reports and nothing will go missing. 

 

attackers

 

Final thoughts

Email is still the easiest way for attackers to break in, and the shift from DMARC to DMARCbis shows how serious things have gone. This isn’t just a small upgrade, it’s a big reset on how email security is going to work from 2025 onwards. If you own a domain or run IT, waiting is not a smart move. The sooner you prepare, the easier the switch will be when DMARCbis goes live.

And if this feels messy or too technical to figure out on your own, DuoCircle has your back. We help IT teams, CISOs, and domain owners set up DMARC, fix reports, monitor things, and now get ready for DMARCbis. Let’s get your domain ready before the new rules kick in. Reach out to DuoCircle today and we’ll sort it out with you.

Pin It on Pinterest

Share This