What DMARCbis Means for Your Email Deliverability

what-dmarcbis-means-for-deliverability

What DMARCbis Means for Your Email Deliverability

For eleven years, DMARC ran on a single informational document from 2015. That era is over. In May 2026, the Internet Engineering Task Force (IETF) officially published DMARCbis — the modernized version of the DMARC standard — as three formal RFCs: 9989, 9990, and 9991. With that, DMARC moved from an informal, independently submitted specification to a recognized Proposed Standard.

If you send marketing or transactional email, this is the most significant authentication change since Gmail and Yahoo made DMARC mandatory for bulk senders in 2024. The good news: DMARCbis is an evolution, not a revolution. Your existing records still work. But there are new tools worth adopting — and a few habits worth retiring.

First, the reassuring part: nothing breaks overnight

DMARCbis is deliberately backward-compatible. DMARC records still begin with v=DMARC1; there is no “DMARC2.” If you already publish a valid policy, it keeps functioning. Receivers are expected to support both the old and new mechanics during a transition period that will likely run two to three years.

So this is not a fire drill. It is a chance to tighten your setup while the industry is paying attention.

What actually changed

Three new tags were added, three were removed, and the way receivers figure out your “organizational domain” was rebuilt.

Change Old behavior DMARCbis behavior
np tag (new) No dedicated policy for non-existent subdomains Lets you set a policy for subdomains that don’t exist in DNS
psd tag (new) Public Suffix Domains couldn’t fully participate Flags a record as belonging to a public suffix domain
t tag (new) pct used for phased rollout t=y puts a policy in explicit test mode
pct, rf, ri (removed) Sampling percentage and forensic report format/interval Deprecated; ignored by new implementations
Domain discovery External Public Suffix List (PSL) DNS Tree Walk algorithm
p= tag Effectively required Recommended, defaulting to p=none

The np tag is the standout

The new np tag defines what receivers should do with mail that fails alignment and comes from a subdomain that doesn’t exist in your DNS. Attackers love spoofing phantom subdomains like billing.yourbrand.com precisely because no legitimate mail flows from them, so nobody notices. With np=reject, those forged messages are rejected outright — without you having to touch your main sending policy. If np is absent, receivers fall back to your sp (subdomain) policy, then p.

Test mode replaces the percentage tag

Previously, senders used pct= to roll a policy out to a fraction of mail. DMARCbis retires that in favor of t=y, a clean test flag that says “evaluate my policy but don’t enforce it yet, and tell me what would have happened.” Aggregate reports now surface a testing field so you can confirm the mode is active.

The DNS Tree Walk

To decide how alignment and policy inheritance work, DMARC has to identify your organizational domain. The old method leaned on the external Public Suffix List, which caused inconsistent behavior across providers. DMARCbis replaces it with a DNS Tree Walk — a more flexible lookup that queries up the domain tree. For most single-domain senders this is invisible. For large organizations with many subdomains and third-party senders, it produces more predictable, consistent enforcement.

One thing DMARCbis did not solve

Forwarding and mailing lists still break DMARC alignment — that “indirect mail flow” problem remains unsolved. Because of it, DMARCbis actually discourages a strict reject policy when there’s a realistic chance your recipients use mailing lists. The practical takeaway: don’t rush to p=reject on a domain that sends to list-heavy audiences without checking your aggregate reports first.

What to do now: a short checklist

  1. Pull your current DMARC record and read it critically. If it still contains pct=, rf=, or ri=, plan to remove them — new receivers ignore them anyway.
  2. Add an np tag. For most brands, np=reject is safe and immediately shuts down phantom-subdomain spoofing.
  3. Use t=y for phased changes instead of the old percentage approach.
  4. Confirm your aggregate reporting still parses. RFC 9990 updated the XML schema (adding fields like discovery method, np, and testing). Validate that your reporting tool handles the new format.
  5. Review your alignment across every service that sends on your behalf — CRM, marketing platform, ticketing, transactional relays. Misaligned third-party senders are the most common reason DMARC quietly fails.
  6. Only then consider moving toward p=quarantine or p=reject, factoring in whether your audience uses forwarders and lists.

Where list verification fits in

Authentication answers one question: is this email really from you? It does nothing about whether the address you’re sending to is real, active, and safe. Those are the signals mailbox providers weigh most heavily now — bounce rates and spam complaints.

A perfectly configured DMARC record won’t save a domain that blasts a stale list full of invalid addresses, spam traps, and long-dead mailboxes. Hard bounces and complaints erode the exact sender reputation DMARC is meant to protect. That’s why authentication and list hygiene are two halves of the same job: DMARC proves your identity, and verification proves your list deserves the inbox.

Verifying your list before every major send keeps bounces low, keeps complaints under provider thresholds, and lets your freshly upgraded DMARC record do its job.

Verify before you send

Your authentication is only as strong as the list underneath it. Clearalist checks every address on your list — flagging invalids, spam traps, and risky contacts — so your bounce and complaint rates stay low and your sender reputation stays intact.

Start free — verify 1000 emails, no credit card required →

Frequently asked questions

Is DMARCbis the same as “DMARC2”? No. Despite the major upgrade, records still begin with v=DMARC1. DMARCbis modernizes the existing standard rather than replacing it with a new version.

Do I need to rewrite my DMARC record immediately? No. Existing valid records keep working through a multi-year transition. But you should remove deprecated tags (pct, rf, ri) and add the np tag when convenient.

What does the np tag actually protect against? Spoofing from subdomains that don’t exist in your DNS. Setting np=reject blocks forged mail from phantom subdomains without changing how your legitimate subdomains are treated.

Should I move to p=reject now? Only after reviewing aggregate reports and confirming your audience isn’t heavily reliant on forwarders and mailing lists, which can break alignment. Move up the policy ladder deliberately.

Does DMARC affect deliverability or just security? Both. Beyond stopping spoofing, a properly aligned DMARC record is now a trust signal that major mailbox providers use when deciding inbox placement.