The new 'np' tag introduced in DMARC's RFC 9989 conflicts with DNSSEC standards, leading to potential policy failure. This incompatibility affects domains utilizing DNSSEC from major providers like Cloudflare and AWS, which could undermine email security efforts.
RFC 9989, published by IETF in May 2026, adds the np tag to DMARC records. This tag allows administrators to define policies for non-existent subdomains, enabling better control against malicious emails while maintaining different policies for existing domains and subdomains.
According to RFC 9989, a non-existent domain is identified by an NXDOMAIN response from DNS queries. This helps determine which subdomains are applicable under the policy defined by the np tag.
The np tag's functionality is compromised due to its definition conflicting with RFC 9824, which deals with Compact Denial of Existence in DNSSEC. This creates scenarios where the np tag does not work as anticipated when DNSSEC is in use.
While DNSSEC adoption is currently limited, the issue directly affects all domains using this technology with major DNS providers such as Cloudflare, NS1, AWS Route 53, and Azure. The lack of a resolution by the IETF working group on this issue raises concerns about the efficacy of DMARC protections in these cases.
The introduction of the np tag aims to enhance DMARCβs capabilities, but its current incompatibility with DNSSEC undercuts its effectiveness. Stakeholders using DMARC will need to be aware of these challenges as they impact email security strategies.
β¨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β check the original sources. How BrevFeed works β
The new 'np' tag introduced in DMARC's RFC 9989 conflicts with DNSSEC standards, leading to potential policy failure. This incompatibility affects domains utilizing DNSSEC from major providers like Cloudflare and AWS, which could undermine email security efforts.