Source URL: https://dmarcwise.io/blog/upcoming-dmarc-bis
Source: Hacker News
Title: DMARCbis is around the corner: what’s changing
Feedly Summary: Comments
AI Summary and Description: Yes
Summary: The text discusses the upcoming changes to the DMARC protocol, detailing the new specification referred to as DMARCbis, which aims to address the limitations of the original RFC 7489. With significant updates in structure, terminology, and operational mechanics, this evolution illustrates the ongoing effort to enhance email authentication and security in response to real-world challenges such as email spoofing and forwarding issues.
Detailed Description:
The article provides an in-depth look at DMARC’s forthcoming updates through DMARCbis, which reflect the collective experiences and observations from a decade of its use. Key changes are being introduced to improve clarity, operational efficacy, and adapt to evolving email security requirements. Below are the highlights of the changes and implications:
– **Provisional Status and Background**:
– DMARCbis, set to be published in 2025, is positioned as an updated standard developed by the IETF following observed limitations in the original DMARC protocol.
– The restructured specification aims for improved readability and applicability, based on practical experiences over the past ten years.
– **Structural Changes**:
– The DMARC specification is being divided into three documents: the main specification, aggregate reporting, and failure reporting, which are projected to enhance usability and understanding.
– **New and Removed Tags**:
– Introduction of new tags such as `np` (policy for non-existent subdomains) and `psd` (Public Suffix Domain) aims to give domain owners clearer controls over their DMARC policies.
– The `pct`, `rf`, and `ri` tags are removed to streamline operations based on the recognition that they create confusion and misapplication.
– **Mechanism Updates**:
– The algorithm used to determine the Organizational Domain has shifted from the Public Suffix List to the more complex DNS Tree Walk, allowing for greater flexibility in handling domains under complex configurations.
– **Handling Forwarding and Indirect Email Flows**:
– DMARCbis emphasizes the challenges presented by email forwarding that complicate DMARC alignment. The protocol now discourages the strict “p=reject” policy for domains that engage in or support mailing lists to avoid unintentional disruption.
– **Aggregate Reporting Enhancements**:
– Changes to the aggregate reporting mechanism introduce improved consistency in reporting formats and privacy measures, emphasizing machine-readability due to the complexity of human interpretation of aggregate reports.
– **Recommendations and Best Practices**:
– Domain owners are encouraged to adopt a staged approach in implementing DMARC policies to gauge the impact on users, particularly in scenarios involving mailing lists. Recommended practices include transitioning from ‘p=none’ to ‘p=quarantine’ before committing to ‘p=reject.’
– **Third-Party Reporting Services**:
– The recognition of third-party DMARC monitoring services highlights the growing reliance on automated tools to analyze and interpret DMARC reports, underscoring the importance of support in managing email security effectively.
In summary, the proposed updates to DMARC signal a progressive step towards refining email authentication measures and adapting to emerging challenges in email security. For security and compliance professionals, understanding these changes will be crucial in planning for the deployment and management of DMARC policies that align with organizational email practices and security requirements.