Organizations assume their email domains are highly protected until a spoofed message proves otherwise. Over the last few years, there has been an increase in the number of organizations adopting DMARC, and new policies have been released regularly from 2020 to 2025. Meanwhile, published records don’t always remain active, and many domain owners don’t keep their DMARC policies up to date. That gap continues to create opportunities for email spoofing and phishing attacks.
Table of Contents
ToggleDMARCbis updates the authentication standard to better support today’s email environment. The updated framework makes policy administration easier and supports more consistent email protection.
What Exactly Is DMARCbis
DMARCbis is the updated version of DMARC, and it’s now published as RFC 9989. It retains the same basic purpose as the original standard: to allow the recipient to determine whether an email message from a domain is valid. It updates the requirements to match today’s email environment, where cloud platforms, subdomains, and third-party senders are widely used.
DMARC worked well when it was introduced, but email systems have since changed. DMARCbis addresses these shifts by refining the standard, making it easier to interpret and implement.
Book a Free
Demo Call
with Our Expert
Discover how Threatcop protects your workforce from modern cyber threats.
Why the Standard Evolved
The older Internet DMARC model was designed for simpler email environments. The more distributed the systems, the more attack vectors become available.
DMARCbis addresses this issue by enhancing the discovery, application, and management of policy and subdomains. This makes authentication more predictable for receivers and easier for domain owners to handle. In reality, this translates into fewer edge cases and a greater likelihood that the policy will be consistent across providers.
What Changed in RFC 9989
The DMARCbis RFC, published as RFC 9989, is the main DMARC protocol specification and supersedes the previous specification (RFC 7489) as the authoritative document on DMARC. It specifies the approach for publishing policy, the mechanism for evaluating messages against policy, and the action to take if the authentication fails. The DMARCbis update is actually a set of three standards, rather than a single document: aggregate reporting is covered by RFC 9990 and failure reporting by RFC 9991.
DNS Tree Walk
The most important protocol change in RFC 9989 is the DNS Tree Walk approach. Receivers now interpret policy through a structured domain hierarchy rather than relying on assumptions that may lead to ambiguity. This simplifies policy discovery, particularly for businesses with many subdomains.
Stronger subdomain handling
Another significant change is security for non-existent subdomains. Subdomain confusion is a technique used by attackers to create messages that appear convincing at first glance. DMARCbis adds explicit policy behavior to mitigate this risk and prevent a popular spoofing route.
Simplified model
A third change is simplification. Certain older policy components were helpful during the DMARC migration but cumbersome to implement in production. DMARCbis reduces that complexity so that organizations can implement policy more easily and keep it clear.
Reporting standards are now separate
Aggregate reporting is a daily XML report that receivers send to domain owners, as defined in RFC 9990. These reports provide information about IP addresses that sent mail for the domain, and whether the mail passed SPF, DKIM, and DMARC checks. RFC 9991 specifies the implementation of failure reporting, a near-real-time, per-message feature that assists the domain owner in quickly discovering and diagnosing failures in authentication when a particular message fails.
This structure makes the DMARCbis complete and easier to understand. RFC 9989 handles the authentication logic, RFC 9990 handles daily visibility, and RFC 9991 handles detailed failure insight.
Why DMARCbis Matters for Security
Attackers still rely on spoofed emails to launch phishing campaigns, increasing the need for DMARCbis. If the sender looks familiar, employees may respond before verifying the message. This is when email authentication becomes increasingly important.
DMARCbis increases consistency in policy evaluation, thereby limiting the space attackers can exploit. It does not prevent all attacks, but it will make impersonation more difficult and provide the receiver with better information when making trust decisions. In other words, it can improve decision quality before the email is delivered to the inbox.
This is crucial when businesses use email to send and receive invoices, communicate with HR, and more. In these instances, a convincing fake message can be extremely costly. The use of stronger authentication isn’t a technical decision today; it’s a decision on better risk management.
A Real-World Risk Example
An example comes from the 2025 UK phishing activity reported, which targeted users with HMRC and Home Office email addresses. In that case, the sender’s trust is exploited, and the email is believable. It also explains why authentication standards matter, not just in theory.
What should senders do now?
DMARCbis does not require current adopters to change their operations. Old records remain valid; no “republishing event” is required by RFC 9989. This means that it is not a disruptive change, but an evolutionary one.
These DMARC changes also make it a good time to review how your current DMARC deployment is configured. If pct remains part of a transition plan, it is time to see it as a short-term, not a long-term, solution. If your team has been in p=none for years, DMARCbis may be a good time to review your security objectives and want to see if monitoring mode is still meeting them.
A sender’s checklist includes
- Scan any files with pct.
- Use the new model t=y or t=n to replace the test assumption.
- Discuss aggregate and failure reports.
- Review if the subdomain policy will continue to support policy usage.
- Check if the domain is prepared for the transition from monitoring to enforcement.
How Threatcop fits
Threatcop’s TDMARC is relevant because the tool focuses on outbound email security and visibility into domain misuse. That makes it the best fit for the DMARCbis conversation, since any update to the protocol can only benefit if the teams can actually observe and react to the data.
Threatcop’s DMARC checker reinforces the idea that authentication is not a one-time setup. Security teams require constant monitoring of spoofing and unauthorized sending sources.
The Bottom Line
DMARCbis is the next generation of email authentication. It will help the policy value and provide a modern means to evaluate the legitimacy of the sender.
Technical controls and user awareness go hand in hand. Employee training and monitoring can help identify what the standard can’t.
FAQs
What is the DMARCbis RFC?
The updated DMRAC version is DMRACbis. It is published as RFC 9989 to modernize how email authentication works today.
How does DMARCbis improve email security?
It enhances security by providing greater consistency in policy evaluation, stronger protection for subdomains, and reduced ambiguity in sender checks.
Do businesses need to replace their current DMARC setup?
Not necessarily right away, but they should check their existing records, subdomains, and third-party senders to ensure compliance with the new standard.
Why does DMARCbis matter for phishing?
This helps make spoofing and impersonation more difficult, thereby curtailing one of the most common methods of phishing.

Purva is a Technical Content Strategist at Threatcop with an MBA in Business Analytics, specializing in SEO-driven content and technical editing across IT and digital domains, and is the author of the book From a Daughter’s Eye.
