DMARCbis is now DMARC: A Definitive Update to Email Authentication Standards

The landscape of email authentication has reached a new epoch with the formalization of DMARC through a series of updated Request for Comments (RFCs) by the Internet Engineering Task Force (IETF) in May 2026. This pivotal development, signaling the transition from what was informally known as "DMARCbis" back to simply "DMARC," reinforces the protocol’s critical role in securing email communications globally. Far from a radical overhaul, these new specifications primarily serve to refactor, clarify, and modernize the existing DMARC documentation, solidifying its foundational principles without fundamentally altering its core "aligned SPF or aligned DKIM" evaluation model. For email service providers (ESPs) like Mailjet and their extensive customer base, the practical takeaway is one of enhanced clarity and strengthened best practices, rather than a disruptive operational shift.

Understanding DMARC: A Foundation for Trust in Email Communication

At its core, DMARC, an acronym for Domain-based Message Authentication, Reporting, and Conformance, is an email authentication protocol designed to protect organizations from email spoofing, phishing, and other forms of cyber fraud. It builds upon two earlier and widely adopted email authentication standards: SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). While SPF allows a domain owner to specify which mail servers are authorized to send email on their behalf, and DKIM provides a cryptographic signature to verify the sender and ensure message integrity, neither protocol alone offered a complete solution to the problem of email abuse.

The critical gap that DMARC filled upon its initial publication as RFC 7489 in 2012 was providing a mechanism for domain owners to instruct recipient mail servers on how to handle emails that fail SPF or DKIM checks, particularly when the visible "From" address (the one users see) does not align with the authenticated domain. Furthermore, DMARC introduced a reporting mechanism, allowing domain owners to receive valuable feedback from recipient servers about their email streams. This feedback, delivered in aggregate or forensic reports, helps identify legitimate authentication failures and detect malicious activity, enabling senders to refine their DMARC policies and enhance their email security posture.

The "alignment" principle is central to DMARC’s effectiveness. For an email to pass DMARC, the domain in the visible "From" header must align with either the domain used for SPF authentication (the Return-Path or Mail From domain) or the domain signed by DKIM. This alignment can be "relaxed" (subdomains are allowed) or "strict" (exact domain match required). By establishing this crucial link between the visible sender and the authenticated infrastructure, DMARC empowers mailbox providers to make informed decisions about incoming mail, significantly reducing the success rate of phishing and spoofing attempts.

A Brief History of Email Authentication and DMARC’s Evolution

The journey towards robust email authentication began out of necessity. The original Simple Mail Transfer Protocol (SMTP), developed in the early 1980s, lacked inherent security features, making it notoriously easy for malicious actors to spoof sender addresses. This vulnerability became a growing concern with the rise of spam and sophisticated phishing attacks in the late 20th and early 21st centuries.

SPF emerged around 2003 as an early attempt to address sender forgery. It involves publishing a DNS TXT record that lists authorized sending IP addresses for a domain. However, SPF’s reliance on the "envelope sender" (Mail From) rather than the visible "From" address meant that a legitimate SPF pass could still occur even if the visible "From" address was spoofed, particularly in common forwarding scenarios.

DKIM followed in 2007 (RFC 4871, later updated to RFC 6376), offering a cryptographic solution. Senders attach a digital signature to their emails, verifiable by recipient servers using a public key published in the sender’s DNS. DKIM verifies both the sender’s identity and that the message content hasn’t been tampered with in transit. While more robust than SPF, DKIM alone didn’t dictate what a recipient should do if a signature was missing or invalid.

The need for a unified policy framework became clear. DMARC was born from a collaborative effort initiated by major email players including PayPal, Google, Microsoft, Yahoo, and others, who sought to standardize how senders could inform receivers about their email authentication practices and how to handle non-compliant messages. Its introduction in 2012 marked a significant turning point, providing the missing link that enabled domain owners to gain visibility into their email streams and exert control over unauthenticated messages.

Over the past decade, DMARC adoption has steadily grown, driven by increasing awareness of cyber threats and the proactive stance of major mailbox providers. Data from organizations like the Global Cyber Alliance and Agari consistently show that DMARC-protected domains experience significantly lower rates of successful phishing attacks. For instance, reports indicate that DMARC adoption by Fortune 500 companies has soared, demonstrating a clear industry consensus on its importance. By 2023, estimates suggested that millions of domains worldwide had implemented DMARC, representing a substantial portion of global email traffic. This widespread adoption underscored the need for the IETF to review and refine the original specification, leading to the "DMARCbis" effort and its culmination in the May 2026 RFCs.

The "DMARCbis" to DMARC Transition: A Modernization Imperative

The term "bis," often appended to RFC numbers, is a Latin word meaning "twice" or "second time," and in the context of the IETF, it typically denotes a revised or updated version of an existing standard. The DMARCbis initiative was precisely that: a comprehensive review and refinement of RFC 7489, aimed at addressing ambiguities, incorporating lessons learned from a decade of real-world implementation, and ensuring the protocol remains robust against evolving threats.

In May 2026, the IETF formally published three new RFCs that collectively supersede the original DMARC specification:

  • RFC 9989 (DMARC Protocol): This document defines the core DMARC protocol, outlining how domain owners publish DMARC policies in DNS and how receiving mail servers evaluate incoming messages against these policies. It refactors and clarifies the fundamental mechanisms, improving readability and precision.
  • RFC 9990 (DMARC Aggregate Reports): This RFC details the structure and content of aggregate reports (RUAs), which provide senders with high-level summaries of their email traffic, including authentication results and DMARC policy application. The updates aim to standardize reporting formats and enhance the utility of these invaluable data streams.
  • RFC 9991 (DMARC Failure Reports): This document specifies the format and delivery of failure reports (RFAs), also known as forensic reports. These reports provide more granular details about individual messages that fail DMARC, offering crucial insights for troubleshooting and identifying specific instances of abuse. The updated RFCs likely refine the reporting mechanisms to be more consistent and actionable.

The motivation behind these updates was not to reinvent DMARC but to solidify its foundation. Over the years, implementers and email security experts had identified areas where the original RFC could be clearer, more explicit, or better aligned with modern email infrastructure practices. The IETF’s rigorous standardization process ensured that these clarifications and modernizations were carefully considered, debated, and widely accepted by the community. The result is a DMARC specification that is more resilient, easier to implement consistently, and better equipped to serve as a cornerstone of email security for the foreseeable future.

Key Implications for the Global Email Ecosystem

The formalization of DMARC under these new RFCs carries significant implications across the entire email ecosystem:

  • For Mailbox Providers (Receivers): The updated specifications provide clearer, more robust guidelines for implementing and enforcing DMARC policies. This can lead to greater consistency in how DMARC-protected emails are processed across different providers, ultimately enhancing their ability to protect their users from phishing and spam. Simplified implementation guidelines can reduce the operational burden on these critical gatekeepers of email.
  • For Email Senders (Organizations): While compliant senders may not experience immediate operational changes, the updated RFCs reinforce the absolute necessity of DMARC implementation. Organizations that have yet to fully deploy DMARC, or those still operating under a "p=none" (monitoring) policy, will face increased pressure to move towards "p=quarantine" or "p=reject." Major mailbox providers like Google and Yahoo have already announced stricter authentication requirements for bulk senders in 2024, explicitly citing the importance of DMARC. Non-compliance will increasingly result in emails being rejected or quarantined, severely impacting deliverability and potentially damaging brand reputation. For those already compliant, the updates offer reassurance that their current strategies are aligned with the latest industry standards.
  • For Email Service Providers (ESPs) like Mailjet: ESPs play a crucial role in helping their customers navigate email authentication. The clarified DMARC specifications enable ESPs to provide more precise guidance and robust tools for DMARC implementation. It underscores the importance of offering features that facilitate SPF and DKIM alignment, reporting, and policy management. Mailjet’s proactive approach to DMARC, as highlighted by their existing documentation and default configurations, positions them well to continue supporting customers effectively under the updated framework.
  • For End-Users (Consumers): Ultimately, the goal of improved email authentication is to create a safer and more trustworthy digital communication environment. By making DMARC more robust and widely understood, the updates contribute to a significant reduction in the volume of phishing, spoofing, and spam reaching end-users’ inboxes. This translates to fewer successful cyberattacks, enhanced privacy, and a more positive overall email experience.

The standardization through the IETF’s new RFCs solidifies DMARC’s status as a mandatory best practice, moving it from an optional enhancement to a fundamental requirement for any organization serious about email security and deliverability.

Navigating DMARC with Mailjet: Continued Best Practices

For Mailjet customers, the core responsibilities remain steadfast: authenticate your email domains, ensure your authenticated domains are aligned with your visible "From" addresses, and diligently monitor your DMARC reports. The updated RFCs do not introduce new operational complexities for those already adhering to these principles but rather provide stronger validation for them.

Mailjet’s DKIM-First Default
Mailjet’s platform is designed to facilitate DMARC compliance, particularly through its default DKIM authentication processes. When a sender domain is validated within Mailjet, the platform typically configures DKIM records (via CNAMEs) for that domain. This means that emails sent through Mailjet from a "From" address using the same domain (or an aligned subdomain) that has been authenticated will automatically carry a valid DKIM signature. Crucially, this DKIM signature will align with the visible "From" domain.

Under Mailjet’s default setup, DMARC commonly passes due to this robust DKIM alignment. As DMARC only requires one aligned authenticated identifier (either SPF or DKIM) to pass, Mailjet’s strong DKIM implementation often suffices for DMARC compliance.

The Return-Path and SPF Alignment Story
While DKIM alignment is straightforward with Mailjet’s defaults, SPF alignment presents a different scenario. By default, Mailjet uses a provider-owned bounce domain, such as bnc3.mailjet.com, for the "Return-Path" or "Mail From" address. This domain is separate from the customer’s visible "From" domain. Consequently, SPF authentication, which checks the Return-Path domain, does not inherently align with the visible "From" domain under Mailjet’s standard configuration.

It is important to reiterate that DMARC does not mandate both SPF and DKIM alignment; one is sufficient. Therefore, Mailjet’s default DKIM-first approach remains entirely valid for DMARC compliance. However, some organizations may desire SPF alignment as an additional layer of authentication or to meet specific internal security policies.

Custom Return-Path for SPF Alignment with Mailjet
For Mailjet customers on paid plans who wish to achieve SPF alignment in addition to DKIM alignment, Mailjet offers the option to configure a custom Return-Path. This feature allows customers to use a Mailjet-managed bounce subdomain within their own organizational domain (e.g., bnc.yourdomain.com) as the Return-Path.

Configuring a custom Return-Path typically involves:

  1. Creating a CNAME record: Directing a subdomain (e.g., bnc.yourdomain.com) to Mailjet’s bounce domain (e.g., bnc3.mailjet.com).
  2. Updating Mailjet settings: Configuring the custom Return-Path within the Mailjet platform.
  3. Ensuring SPF record: Verifying that the customer’s SPF record for yourdomain.com (or its organizational domain) includes Mailjet’s sending IPs or includes mechanisms that authorize the custom Return-Path subdomain.

Once configured, SPF can support DMARC alignment under "relaxed alignment" (aspf=r). This is because the MAIL FROM / Return-Path will now use a Mailjet-managed bounce subdomain within the customer’s organizational domain, allowing it to align with the visible "From" domain if that domain is also within the same organizational domain. Mailjet continues to handle bounce processing behind the scenes, ensuring deliverability remains optimized.

Customers considering "strict SPF alignment" (aspf=s) should review this setup carefully. Strict alignment requires the MAIL FROM domain to exactly match the visible "From" domain. As Mailjet’s custom Return-Path typically uses a subdomain (e.g., bnc.yourdomain.com) rather than the exact primary domain (yourdomain.com) for the Return-Path, strict SPF alignment may not be achieved in all scenarios. It’s crucial to consult Mailjet’s latest documentation and support guidance for specific setup details and potential limitations, as availability and setup processes can evolve.

It’s also worth noting that dedicated IPs, while important for reputation control and deliverability troubleshooting, do not alter DMARC’s fundamental alignment rules. Whether using shared or dedicated Mailjet IPs, DMARC still evaluates the alignment between the visible "From" domain and the authenticated SPF or DKIM identifiers.

Actionable Steps for Mailjet Senders

In light of the DMARC updates, Mailjet senders should undertake a comprehensive review of their email authentication practices:

  1. Audit DMARC Configuration: Verify that DMARC records are correctly published for all sending domains, including any subdomains used for email. Ensure policies (p=none, p=quarantine, p=reject) are appropriate for your organization’s risk tolerance and email volume.
  2. Confirm Domain Authentication: Double-check that all domains used in your "From" addresses are properly authenticated with DKIM within your Mailjet account. Ensure the necessary CNAME records are correctly configured in your DNS.
  3. Validate Alignment: Review your sending practices to confirm that the domains in your visible "From" addresses consistently align with either your authenticated DKIM domain or your SPF-aligned Return-Path domain.
  4. Monitor DMARC Reports: Regularly analyze your DMARC aggregate and forensic reports. These reports are invaluable for identifying legitimate authentication failures, detecting unauthorized sending, and optimizing your DMARC policies. Mailjet’s reporting features and integrations can assist with this.
  5. Consider Custom Return-Path: If SPF alignment is a strategic requirement, explore the custom Return-Path feature on your Mailjet paid plan. Understand its implications for relaxed vs. strict SPF alignment and consult Mailjet support for optimal configuration.
  6. Stay Informed: Keep abreast of Mailjet’s documentation, blog posts, and support channels for any further updates or recommendations regarding DMARC and email authentication best practices.

The Road Ahead: Sustaining Email Trust

The transition from "DMARCbis" to DMARC, solidified by the IETF’s new RFCs, marks a significant milestone in the ongoing quest for a more secure and trustworthy email ecosystem. It is a testament to the collaborative efforts of the industry to evolve and adapt to the ever-present threat of cybercrime. For most Mailjet customers who have already embraced authenticated domains and correctly aligned identifiers, these new RFCs will feel more like a clarification and reinforcement of existing best practices than a major operational upheaval.

DMARC, now more robustly defined than ever, stands as a cornerstone of email security, but it is not a panacea. The battle against phishing, spoofing, and other email-borne threats is continuous. Organizations must remain vigilant, combining DMARC with other security layers, employee training, and continuous monitoring to build a truly resilient defense. The message is clear: DMARCbis is dead. Long live DMARC, a modernized and reaffirmed standard that will continue to empower senders and protect recipients in the digital age.

Related Posts

AWeber Pioneers Email Marketing Integration in the ChatGPT App Marketplace

AWeber has officially announced its groundbreaking integration into the ChatGPT App Marketplace, positioning itself as one of the inaugural email marketing platforms to offer direct functionality within OpenAI’s conversational AI…

The Transformative Power of Multi-Step Forms: Boosting Conversions and Personalizing User Journeys with AI Innovation

In an increasingly competitive digital landscape, businesses are continually seeking innovative strategies to optimize user engagement and enhance conversion rates. A significant advancement gaining traction is the adoption of multi-step…

You Missed

SMX Munich: Advanced Google Ads Workshop Promises Deep Dive into Optimization and Automation

  • By
  • July 13, 2026
  • 1 views
SMX Munich: Advanced Google Ads Workshop Promises Deep Dive into Optimization and Automation

The Unseen Cost of Delegating: Why Business Owners Must Remain Vigilant in Financial Oversight

  • By
  • July 13, 2026
  • 1 views
The Unseen Cost of Delegating: Why Business Owners Must Remain Vigilant in Financial Oversight

Optimizing for the AI Search Era: A New Frontier in Digital Visibility

  • By
  • July 13, 2026
  • 1 views
Optimizing for the AI Search Era: A New Frontier in Digital Visibility

Google Search Generative AI Controls Roll Out Globally, Expanding Beyond Initial UK Sites

  • By
  • July 13, 2026
  • 1 views
Google Search Generative AI Controls Roll Out Globally, Expanding Beyond Initial UK Sites

Cultivating Creativity at Home: The Power of Intentional Self-Care and Domestic Retreats

  • By
  • July 13, 2026
  • 1 views
Cultivating Creativity at Home: The Power of Intentional Self-Care and Domestic Retreats

DemandScience Unveils Comprehensive Suite of Solutions to Empower B2B Marketing and Sales Leaders

  • By
  • July 13, 2026
  • 2 views
DemandScience Unveils Comprehensive Suite of Solutions to Empower B2B Marketing and Sales Leaders