The Domain-based Message Authentication, Reporting, and Conformance (DMARC) protocol is undergoing a significant evolution. The next revision, known as DMARCbis, builds upon the foundation of the original protocol to enhance clarity, security, and flexibility.
The most transformative change in DMARCbis is the replacement of the rigid Public Suffix List (PSL) with a dynamic, DNS-native discovery mechanism: the DNS Tree Walk Algorithm. This change fundamentally alters how the “Organizational Domain” is determined, which is critical for both DMARC policy discovery and identifier alignment.
What is the DNS Tree Walk Algorithm?
In the current DMARC standard (RFC 7489), identifying the Organizational Domain (the highest-level domain you own, like example.com for mail.example.com) relies on the Public Suffix List (PSL) – a community-maintained list of domain suffixes (like .com, .co.uk, .org). This reliance on an external, occasionally inconsistent list has been a source of complexity for some years now.
DMARCbis solves this with the new DNS Tree Walk Algorithm. This algorithm introduces a flexible, real-time method to determine the organizational boundary directly through DNS records.
How the algorithm works
When a receiving mail server is checking an email from a domain, say alerts.mail.example.com, the Tree Walk algorithm performs a series of hierarchical DNS lookups to find the applicable DMARC policy:
- Initial Query: It starts by querying the exact domain level:
_dmarc.alerts.mail.example.com - Progressive Traversal: If no valid DMARC record is found, it “walks up” the domain hierarchy, progressively removing the leftmost label and querying the parent:
_dmarc.mail.example.com_dmarc.example.com- … and so on
- Boundary Detection: The walk stops when it finds a DMARC record that explicitly defines a boundary using the new psd tag (explained below) or when it reaches a predefined query limit (a maximum of 8 queries to prevent DNS amplification attacks).
This DNS-native method provides greater consistency and eliminates the need to rely on the Public Suffix List, allowing domain owners to control their domain boundaries more effectively.
Impact on your DMARC record
While DMARCbis is backward-compatible, meaning your existing v=DMARC1 record will still work, the new specification introduces a few key tags that directly interact with the DNS Tree Walk algorithm.
Note: not all tags are relevant to all domain owners. In most cases, transitioning to DMARCbis is a seamless process with very little tag definitions required.
1. The organizational boundary tag: psd
The psd (Public Suffix Domain) tag is the crucial mechanism that replaces the PSL and explicitly defines organizational boundaries within your DMARC record. This tag helps the Tree Walk algorithm know where to stop.
| Tag Value | Meaning | Implication for the Tree Walk |
|---|---|---|
psd=y | Public Suffix Domain. The record is on a Public Suffix (like a country code TLD or a shared service suffix). | The organizational domain is one level below the domain where this record is found. (Only for Public Suffix Operators). |
psd=n | Organizational Domain. The record is on the Organizational Domain itself (the one you own). | This domain is the organizational boundary for itself and its subdomains. |
psd=u | Default. The policy is at a non-PSD domain. | The Tree Walk will use its default logic to continue searching up the hierarchy for a boundary. |
What this means for most domain owners: If you are not a Public Suffix Operator (i.e., you don’t manage a TLD like .com), you should focus on publishing a valid DMARC record at your base domain (e.g., example.com) and consider using psd=n if you have a complex setup where you need to explicitly declare that domain as the organizational boundary. For most simple setups, omitting psd entirely will allow the default Tree Walk logic to function correctly by relying on a valid record at the highest level.
2. Policy for non-existent subdomains: np
A key security improvement is the np (Non-existent Policy) tag. It allows a domain owner to specify a DMARC policy for messages purporting to be from a subdomain that does not exist (e.g., a spammer spoofing nonexistent.example.com).
| Tag Example | Description |
|---|---|
| np=reject | Apply a reject policy to emails from subdomains that do not exist in DNS. |
| np=quarantine | Apply a quarantine policy to emails from non-existent subdomains. |
If np is omitted, the policy for non-existent subdomains falls back to the existing subdomain policy (sp), or the organizational domain policy (p). Explicitly defining np is a powerful way to shut down a common type of spoofing attack.
3. Simplified testing: t (replacing pct)
The original pct (percentage) tag, which allowed partial enforcement of a policy, has been removed due to complexity and inconsistent implementation. DMARCbis replaces it with a simple binary t (Testing Mode) tag:
- t=y: The domain owner is in testing mode. The receiver should treat a failing email as if the policy was set to p=none. This is equivalent to the old pct=0.
- t=n: Full enforcement is desired. This is the default and equivalent to the old pct=100 or omitting the tag.
Key action items for domain owners
The transition to DMARCbis is designed to be seamless for most organizations, especially those with an existing, simple DMARC record at their base domain. However, we advise conducting a proactive review to maximize the new security and flexibility features:
- Audit Your Current Record: Review your existing DMARC record and remove soon-to-be deprecated tags like pct, rf (Report Format), and ri (Report Interval), as they will be ignored by DMARCbis-compliant receivers.
- Understand Subdomain Inheritance: If you have complex subdomain structures, familiarize yourself with the DNS Tree Walk logic to ensure policy inheritance works as intended.
- Consider New Security Tags: Implement the np tag with an enforcement policy (reject or quarantine) to protect against spoofing on non-existent subdomains.
- Define Boundaries (If Complex): If your domain structure is complex (e.g., a public suffix operator or a very large organization with many subdomains), consider using psd=n to explicitly define your organizational boundary.
DMARCbis represents a refined, more robust future for email authentication. By understanding the DNS Tree Walk algorithm and updating your DMARC records to incorporate the new tags, you can ensure your domain is optimally protected against phishing and spoofing threats in the years to come.
Need help with your DMARC setup?
Learn more about 101domain’s Managed DMARC Services and let us do the heavy lifting for you. We handle policy setup, monitoring, and reporting so you can rest easy knowing your emails are secure.
