<edit>
You can still use this method to upgrade packages from stretch, however I found that dnsmasq version 2.76-5 also has a DNSSEC problem. There is a solution for this, you can read it here. </edit>
I found a way to upgrade dnsmasq on raspbian jessie lite, already running pi-hole and dnscrypt-proxy.
WARNING: Don't do this if you're not willing to run anything else but the stable build!!!
before you start the upgrade, run sudo apt-get update && sudo apt-get -y upgrade
step 1: follow the instructions in this document, replace the apt-get instruction with the following:
sudo apt-get install --only-upgrade dnsmasq -t stretch
select N to keep the original configuration file when asked!
step 2: as soon as the upgrade is completed, remove the 4 files you created and run sudo apt-get update again.
step 3: reboot your pi
You can verify dnsmasq has been upgraded by searching the pihole log ("started, version 2.") The latest entry (today) reads dnsmasq[2149]: started, version 2.76 cachesize 10000
while the original entries are dnsmasq[462]: started, version 2.72 cachesize 10000
If you are installing fresh (new jessie image, pihole not yet installed), you're better of installing the upgraded dnsmasq before you install pihole. The apt-get instruction to use in this case:
sudo apt-get install dnsmasq -t stretch
remember to remove the 4 files and sudo apt-get update again!
You need to enable DNSSEC by editing /etc/dnsmasq.d/01-pihole.conf, the required entries can be found here (file advanced/Scripts/webpage.sh)
I'm still not convinced this is worth the effort, as hardly any domains seems to be DNSSEC enabled (check the pihole log)