DMARCbis is official: what the new DMARC means for your domain
DMARC just got its first major overhaul in more than a decade. After years of work at the IETF — the effort began around 2020 — the updated standard, nicknamed DMARCbis, was officially published this month (May 2026) as RFC 9989, alongside two companion specs for reporting (RFC 9990 and RFC 9991). If you own a domain and publish a DMARC record, here's what changed, what actually matters, and whether you need to lift a finger.
First, the reassuring part: your current record keeps working
DMARCbis is an evolution, not a reset. Your existing DMARC record — p=none, quarantine or reject, your reporting address (rua), sp, adkim, aspf — is all still valid and still honored. Nothing breaks overnight, and there's nothing to rush.
What actually changed (the parts worth knowing)
1. Stronger protection against fake subdomains — the new np tag (the headline change).
Attackers love inventing subdomains that don't exist — payroll.yourdomain.com, secure-login.yourdomain.com — to make phishing look official. The new np ("non-existent subdomain") policy lets you say: reject mail from any subdomain that isn't real. For organizations with many subdomains — schools, government, large companies — this closes a gap attackers have leaned on for years.
Better still, you can adopt it safely, because np takes the same values as p (none → quarantine → reject):
- Start with
np=noneto monitor — nothing is blocked, but your reports begin showing mail that claims to come from non-existent subdomains. Watch for a few weeks to be sure no legitimate system is using a subdomain you'd forgotten. - Then tighten to
np=quarantine, and finallynp=rejectonce you're confident.
This is the most impactful new protection in DMARCbis.
2. A smarter way receivers find your domain — the "DNS Tree Walk".
Previously, mail providers relied on a big external list (the Public Suffix List) to work out your "main" domain and how subdomains inherit policy. DMARCbis replaces that with a DNS Tree Walk: receivers simply walk up the DNS tree to find your organizational domain and its policy. It's more reliable, drops a fragile dependency, and behaves more predictably for complex setups. You won't see it directly — it's how receivers read your record — but it's the biggest change under the hood, and it's what makes the np protection above possible.
3. The pct tag is gone — the one thing to double-check. ⚠️
Old DMARC had a pct= tag to apply your policy to only a percentage of mail (used for gradual rollouts). DMARCbis removes it. If your record still contains something like pct=10, modern receivers now ignore it and apply your full policy. So if you were leaning on pct to soften enforcement, that assumption no longer holds — worth a quick review. The new way to ease in is the t=y testing flag, plus the classic none → quarantine → reject progression.
4. Housekeeping.
There's also a psd tag and cleaner, split-out reporting formats (RFC 9990 / 9991). Most domain owners can leave both alone: the DNS Tree Walk already figures out your organizational boundary, so you don't need to set psd yourself. (It mainly matters for registry / "public suffix" operators, who publish psd=y to protect the domains registered beneath them.)
So — do you need to do anything?
For most domains, not urgently — your record keeps working. But two things are worth a look:
- Revisit any
pct=tag — it no longer does what it used to. - Consider
npif you have subdomains and want to shut the door on fake-subdomain phishing — starting atnp=noneto monitor.
The honest answer is that the right changes depend on your DNS setup, your subdomains, and how strict your current policy is. Tightening DMARC carelessly can block legitimate mail — so it's worth an assessment before flipping switches.
We'll guide you
This is exactly what DMARC Guy does. We're preparing tailored, step-by-step guidance to help domain owners adopt the DMARCbis improvements safely — the right tags, in the right order, without disrupting legitimate email. Want us to review your domain and map out the specific steps for your setup? Get in touch.