Sendmarc Releases DMARCbis Fireside Chat Featuring Co-Editor Todd Herr: Expert Insights on Email Authentication and Security

Post Views: 24

Domain-based Message Authentication, Reporting, and Conformance (DMARC) Updates

DMARC is undergoing significant updates, and security teams need to be prepared. A recent fireside chat, featuring Todd Herr, co-editor of DMARCbis, shed light on the upcoming changes and how organizations can plan for 2026.

Background on DMARC

DMARC, first published in 2015, has become a widely adopted control for reducing direct-domain spoofing and improving visibility into legitimate and illegitimate use of a domain. However, as the protocol continues to evolve, it’s essential to address the lessons learned from real-world deployment.

DMARCbis Updates

DMARCbis, currently in the Internet Engineering Task Force (IETF) standards process, aims to clarify and improve the protocol for long-term maintainability. Herr emphasized that DMARCbis is not a revolutionary change but rather an evolution of the existing protocol.

One of the key updates is the introduction of a standardized DNS tree walk approach for receiver-side policy discovery, which improves how receivers discover the organizational domain.

Importance of Clear Expectations

The discussion also highlighted the importance of clear expectations for reporting and participation. Herr explained that “full participation” requires operational work to maintain aligned authentication and useful reporting.

“Full participation” requires operational work to maintain aligned authentication and useful reporting. This includes record tag updates and deprecations, which aim to reduce ambiguity and inconsistent implementation.

Authentication and Sender Requirements

Levinson noted that major mailbox providers, such as Microsoft, Google, and Yahoo, have implemented strict sender requirements that rely heavily on DMARC, SPF, and DKIM. This emphasizes the need for authentication to safeguard the most vital communication channel.

Common Misconceptions

Herr also addressed common misconceptions, including the idea that publishing DMARC alone guarantees inbox placement. He reinforced that authentication helps mailbox providers evaluate identity and apply reputation, but it doesn’t replace strong sending practices.

Preparing for the Future of DMARC

The upcoming DMARC changes are expected to have a significant impact on security teams. As the protocol continues to evolve, it’s essential for organizations to stay informed and adapt to the changes.

The DMARCbis draft, currently at version 41, is intended for Proposed Standard status and, if approved, would obsolete RFC 7489. As the IETF standards process progresses, security teams should stay vigilant and prepared for the changes ahead.