DMARC Is Changing. What Does It Mean for You?

You may have seen it mentioned somewhere - a term like "DMARCbis" with a note that something is changing. Maybe your IT person mentioned it, maybe you spotted it in an email-related newsletter. Either way, your reaction was probably: "What on earth is this, and do I need to do anything?"

The answer to the second question is: not yet - the new standard doesn't have a confirmed release date. But it's worth understanding what's actually changing, and what it will mean for you when it does arrive.

A Quick Refresher: What Does DMARC Actually Do?

Cast your mind back to when you were setting up your domain and someone told you to add some DNS records - SPF, DKIM, DMARC. Maybe you did it yourself, maybe someone did it for you, and you haven't thought about it since.

DMARC is essentially protection against impersonation. Without it, anyone can send an email that looks like it came from your domain - say, info@yourcompany.com. With DMARC in place, you tell the world: "Emails from my domain have to meet certain rules. If they don't, treat them as suspicious - or block them outright."

Email servers like Gmail, Outlook, and others read this record and use it to decide what to do with messages that claim to be from you.

So What Is DMARCbis?

DMARCbis is an updated version of the rules that define how DMARC works. The "bis" comes from Latin, meaning "second" or "revised" - like a second edition of a book.

The new standard is expected sometime in 2026, but no exact date has been confirmed yet. When it arrives, it will replace the original spec from 2015.

What Exactly Is Changing?

1. Your existing DMARC record keeps working

The most important thing first: you don't need to change anything. The record you have in DNS today will remain valid after the new standard is published.

2. A feature that didn't work is being removed

This is the main change - and to explain it, a small analogy helps.

Think of DMARC as a light switch with a dimmer. It has three positions:

• 🔘 Off - suspicious emails pass through normally, you just receive reports. Technically: p=none
• 🟡 Caution - suspicious emails go to spam. Technically: p=quarantine
• 🔴 Full protection - suspicious emails are blocked entirely. Technically: p=reject

Going straight from "off" to "full protection" is risky. You might be sending emails through tools you've forgotten about - an old invoicing system, a plugin, a marketing tool you used briefly. If those aren't properly configured, your customers will stop receiving their emails without any warning.

The original DMARC spec had a solution for this: gradual rollout. You could say: "Apply the rules to only 10% of emails for now, then 50%, then 100%." In theory, you'd discover forgotten senders along the way. In practice, it didn't work. Different email servers interpreted the setting differently, and many ignored it entirely.

DMARCbis removes this feature. Instead of a dimmer, you get a simple switch: either testing mode or full enforcement. No percentages.

3. How email servers understand your domain structure is changing

This is a more technical change, but it's worth understanding - especially if you have a more complex domain setup.

Every domain has a "tree". For example, newsletter.yourcompany.com is a branch of yourcompany.com. A DMARC record on the main domain automatically covers subdomains - unless they have their own record.

Previously, email servers used an external list to understand where a domain "begins" - a publicly maintained document called the Public Suffix List. The problem was that this list isn't always up to date. DMARCbis fixes this more elegantly: servers will ask DNS directly. The result is more reliable and predictable.

What does this mean for you? If you have one domain and nothing complicated, probably nothing at all. But if you run multiple subdomains (for example shop.yourcompany.com, support.yourcompany.com), it's worth checking that your DMARC records cover what you expect them to cover.

How Do You Find Out What You Currently Have Set Up?

Before deciding what to do next, it's worth knowing where you stand. The easiest way is to use the free DNS checker from DMARCeye - enter your domain and instantly see what DMARC record you have, what it means, and whether it's set up correctly. Free, no registration required, results in seconds.

Why Is Everyone Saying Something Is Changing?

Because it genuinely is an interesting moment in the history of email security - but it's being reported as more dramatic than it actually is for most domain owners.

The more important story isn't "the standard is changing" - it's this: a large proportion of domains have DMARC set up but provide no real protection. They've been stuck in "monitoring only" mode for years. If you want real protection, having DMARC set up isn't enough. You need to know what your reports are telling you, and gradually - safely - move to stricter settings.

DMARC reports are technical, they arrive as XML files, and without a tool they're practically unreadable. DMARCeye reads those reports for you and tells you in plain language: who is sending emails from your domain, whether all your sending tools are properly configured, and what would happen if you tightened your policy today. You can start for free.

What Should You Do Right Now?

Nothing urgent - the new standard has no confirmed release date, so there's no deadline.

1. Find out what you have set up. Use the DNS checker, it takes a minute.
2. If you have subdomains, check that they're covered by the right records. DMARCbis changes how servers read the domain tree.
3. If you've been on p=none for years, it's time to consider moving forward. Carefully and with visibility. A tool like DMARCeye will show you the path without unnecessary risk.

If you want the spec-level detail on everything that's changing in DMARCbis, see our companion piece: What DMARCbis Changes, and What It Leaves Unsolved.

Try DMARCeye free today and see what your domain's email reports actually say.