The new DMARC is here

DMARCbis the new DMARC is finally here.

It’s not DMARCbis any more, it’s just DMARC.

Changes

There’ve been a lot of improvements to the spec itself, but also some changes from current DMARC usage.

The most significant change is probably how an organizational domain is identified. In current DMARC this is done using a big, manually maintained lookup table. The new approach looks for _dmarc TXT records in the DNS tree starting at the domain in the From: address - this is the “DNS Tree Walk”. This won’t affect most folk, but may allow more operational flexibility in some cases. To support this a new psd tag has been added to DMARC records, to indicate that a domain is a “Public Suffix Domain” (a TLD or pseudo-TLD effectively).

The np tag has been added. It’s been around as part of RFC 9091 for a while, and allows domain owners to publish a policy to be applied only to subdomains that don’t exist in DNS.

The pct tag is gone. It really only worked to flag special handling when pct=0, so it’s been replaced with the t tag. t=y does the same as pct=0 and t=n (the default) does the same as pct=100.

The rf (report format) tag is gone. You’re going to get your reports in XML, the same as you do now, but we’re not pretending there might ever be an alternative.

And finally, the ri (report interval) tag is gone.

The discussion around interoperability, and how responsible domain owners and mailbox providers should publish and interpret DMARC policy has been drastically improved. If you don’t read anything else about the new DMARC, section 7.4 of RFC 9989 is worth a quick read.

A note on “bis”

“bis” comes from Latin, meaning “twice” or “doubly”. Biscuits and biscotti are “twice-baked”.

In protocol terms “bis” is used to describe the second version of a protocol. Using it implies that the intent is not adding new features, rather it’s to improve the existing features and to add new functionality only as needed to do that.

Part of that means that the official version number of the protocol doesn’t change. DMARC is still DMARC version 1, it’s just better.

“ter” is Latin for “three times” or “thrice”.

DKIM2, Asynchronous Bounces and VERP

Related Posts

SPF ?all

I was updating my SPF library and discovered that the example code snippets didn’t work any more, as at some point in 2024 AOL switched their SPF record from “(lots of stuff]) ~all” to “(lots of stuff) ?all”. Nothing particularly surprising, folks change their setups occasionally. I updated the example code to expect a neutral response rather than softfail and all the tests pass.

Read More

Don't send customer-generated content

I just got this email:

SPF is valid. It passes DKIM for zoom.us.

Read More