← All stories
● Covered by 1 source Β· 1 reportMedium impact

DMARC's new 'np' tag faces compatibility issues with DNSSEC

Aggregated by BrevFeed general Β· updated 1h ago
πŸ”– Save

The new 'np' tag introduced in DMARC's RFC 9989 conflicts with DNSSEC standards, leading to potential policy failure. This incompatibility affects domains utilizing DNSSEC from major providers like Cloudflare and AWS, which could undermine email security efforts.

Key points

Introduction of the np tag in DMARC

RFC 9989, published by IETF in May 2026, adds the np tag to DMARC records. This tag allows administrators to define policies for non-existent subdomains, enabling better control against malicious emails while maintaining different policies for existing domains and subdomains.

Definition of non-existent domains

According to RFC 9989, a non-existent domain is identified by an NXDOMAIN response from DNS queries. This helps determine which subdomains are applicable under the policy defined by the np tag.

Conflict with DNSSEC specification

The np tag's functionality is compromised due to its definition conflicting with RFC 9824, which deals with Compact Denial of Existence in DNSSEC. This creates scenarios where the np tag does not work as anticipated when DNSSEC is in use.

Impact on DNSSEC-enabled domains

While DNSSEC adoption is currently limited, the issue directly affects all domains using this technology with major DNS providers such as Cloudflare, NS1, AWS Route 53, and Azure. The lack of a resolution by the IETF working group on this issue raises concerns about the efficacy of DMARC protections in these cases.

Conclusion

The introduction of the np tag aims to enhance DMARC’s capabilities, but its current incompatibility with DNSSEC undercuts its effectiveness. Stakeholders using DMARC will need to be aware of these challenges as they impact email security strategies.

✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β€” check the original sources. How BrevFeed works β†’

Primary sources

GitHub matteocontrini/944dfb66f24df4cbe157ab3673684520 GitHub trusteddomainproject/OpenDMARC GitHub stalwartlabs/mail-auth GitHub msimerson/mail-dmarc GitHub rspamd/rspamd GitHub postalsys/mailauth

Reporting from

The new 'np' tag introduced in DMARC's RFC 9989 conflicts with DNSSEC standards, leading to potential policy failure. This incompatibility affects domains utilizing DNSSEC from major providers like Cloudflare and AWS, which could undermine email security efforts.