The internet community has officially ushered in a new era for email authentication with the formalization of the Domain-based Message Authentication, Reporting & Conformance (DMARC) standard, marked by the publication of three new Request for Comments (RFCs) by the Internet Engineering Task Force (IETF) in May 2026. This significant development, effective immediately, clarifies and modernizes the protocol that has become indispensable for combating email fraud and enhancing deliverability worldwide. Far from a radical overhaul, these updated specifications, RFC 9989 (the core DMARC protocol), RFC 9990 (aggregate reports), and RFC 9991 (failure reports), primarily refactor, clarify, and update existing documentation, reinforcing DMARC’s foundational evaluation model: ensuring mail is authenticated and aligned through either SPF (Sender Policy Framework) or DKIM (DomainKeys Identified Mail). For senders, including those leveraging platforms like Mailjet, the practical implication is one of continuity and reinforced best practices rather than a seismic operational shift.
The Evolution of Email Authentication: A DMARC Chronology
To fully appreciate the significance of DMARC’s formalization, it is crucial to understand its origins and the critical role it plays in the often-vulnerable world of email communication. The Simple Mail Transfer Protocol (SMTP), developed in the early days of the internet, was never designed with robust security in mind. It lacked inherent mechanisms to verify the sender’s identity, making it notoriously easy for malicious actors to spoof email addresses – fabricating the "From" address to impersonate legitimate organizations or individuals. This fundamental flaw became a fertile ground for phishing attacks, spam, and business email compromise (BEC) schemes, costing businesses billions annually and eroding user trust in email as a reliable communication channel.
In response to these escalating threats, two primary authentication protocols emerged: SPF and DKIM. SPF, first standardized in 2006, allows domain owners to publish a DNS record listing authorized sending servers for their domain. When an email arrives, the receiving mail server checks if the sending IP address is listed in the sender’s SPF record. DKIM, introduced around the same time, provides a cryptographic signature that verifies the email has not been tampered with in transit and that it originated from an authorized sender. While revolutionary, SPF and DKIM addressed only parts of the problem. A major loophole remained: neither protocol explicitly checked the "From" address visible to the end-user. An attacker could still pass SPF or DKIM checks by sending through a compromised server or using a third-party service, as long as the technical "MAIL FROM" or DKIM signing domain was legitimate, even while spoofing the user-visible "From" address.
Enter DMARC. Conceived in 2012 through a collaborative effort involving major email providers (like Google, Microsoft, Yahoo), financial institutions, and security vendors, DMARC was designed to bridge this critical gap. Its core innovation was to mandate "alignment" – checking that the domain in the user-visible "From" header matches either the domain validated by SPF (the "MAIL FROM" or Return-Path domain) or the domain signed by DKIM. Furthermore, DMARC introduced policies (p=none, p=quarantine, p=reject) allowing domain owners to instruct receiving mail servers on how to handle unaligned messages, and, crucially, provided a standardized reporting mechanism to give senders visibility into their email streams. This reporting, in the form of aggregate (RUA) and forensic (RUF) reports, was revolutionary, offering unprecedented insight into legitimate sending practices and potential abuse.
The initial DMARC specification, published as RFC 7489 in 2015, quickly gained traction. However, as DMARC adoption grew and its complexities became more apparent, ongoing discussions and clarifications led to a working draft often referred to informally as "DMARCbis" (DMARC-bis, Latin for "DMARC a second time"). This "bis" period represented a continuous effort within the IETF to refine the protocol, address ambiguities, improve error handling, and ensure its long-term stability and interoperability. The May 2026 publication of RFCs 9989, 9990, and 9991 culminates this multi-year process, solidifying DMARC as a robust and mature internet standard.
Deciphering the New RFCs: Modernization, Not Reinvention
The IETF’s recent publication marks a significant milestone in the evolution of email security standards. Rather than introducing groundbreaking new functionalities, the new RFCs serve as a comprehensive update and formalization of the DMARC protocol, which had been operating under various informal interpretations and evolving best practices. This modernization aims to provide a clearer, more robust, and officially sanctioned framework for DMARC implementation.
RFC 9989, the core DMARC protocol specification, is the linchpin of this update. It refactors the original RFC 7489, clarifying definitions, streamlining the protocol’s language, and enhancing its overall robustness. Key changes include better explanations of policy application, improved guidance on handling various edge cases, and a more precise articulation of the alignment requirements. The fundamental principle that DMARC passes if at least one of SPF or DKIM is authenticated and aligned remains untouched. This ensures that existing, correctly configured DMARC implementations continue to function as intended, minimizing disruption for organizations that have already invested in email authentication. The IETF’s motivation for this refactoring stems from a desire to create a stable and unambiguous standard that can serve as a solid foundation for future email security developments. As email threats grow in sophistication, having a crystal-clear baseline for authentication is paramount.
Complementing the core protocol are RFC 9990 for aggregate reports (RUA) and RFC 9991 for failure reports (RUF). These RFCs focus on the crucial reporting mechanisms that underpin DMARC’s effectiveness. Aggregate reports provide high-level summaries of email traffic, indicating which messages passed or failed DMARC checks, and why. The new RFC 9990 likely refines the reporting format, adds new fields for enhanced data collection, or clarifies existing ones, enabling domain owners to gain even deeper insights into their email ecosystem. This improved granularity can help identify legitimate email streams that might be misconfigured, as well as pinpoint sources of malicious spoofing. Forensic reports, detailed in RFC 9991, offer message-level data for emails that fail DMARC, providing valuable forensic evidence for investigating phishing attacks and other forms of abuse. While their use has sometimes been contentious due to privacy concerns, the updated RFC likely provides clearer guidelines for their generation and consumption, balancing utility with privacy considerations.
The overarching theme of these updates is standardization and clarity. By addressing ambiguities and codifying best practices that have emerged since DMARC’s initial release, the IETF has provided a definitive benchmark. This eliminates the need for implementers and email service providers to rely on outdated documentation or informal interpretations, fostering greater consistency across the global email infrastructure. It is a testament to DMARC’s success that, instead of being replaced, it has been meticulously refined to meet the demands of a constantly evolving threat landscape.
The Critical Role of DMARC in Today’s Email Landscape
The formalization of DMARC underscores its increasingly critical role in a digital world where email remains the primary vector for cyberattacks. Statistics consistently highlight the pervasive nature of email-based threats. According to various cybersecurity reports, phishing remains one of the most common and effective attack methods, accounting for a significant percentage of all cyberattacks. For instance, the FBI’s Internet Crime Report frequently cites Business Email Compromise (BEC) schemes, which heavily rely on email spoofing, as one of the costliest cybercrimes, with billions of dollars lost annually globally. These attacks leverage the ease with which traditional email protocols allow for identity deception, directly impacting trust, financial security, and brand reputation.
DMARC directly addresses this vulnerability by giving domain owners control over how unauthenticated emails purporting to be from their domain are handled. When implemented with a policy of p=quarantine or p=reject, DMARC significantly reduces the success rate of phishing and spoofing attacks. Studies have shown that organizations implementing DMARC with enforcement policies experience a substantial decrease in the volume of fraudulent emails reaching their customers’ inboxes. For example, a significant number of Fortune 500 companies and government agencies have adopted DMARC, leading to a demonstrable reduction in email-based brand abuse. The mere presence of a DMARC record, even with p=none (monitoring only), provides valuable intelligence, while stricter policies actively block malicious mail.
Furthermore, DMARC has become a non-negotiable requirement for optimal email deliverability. Major mailbox providers like Google (Gmail), Microsoft (Outlook.com), and Yahoo have progressively tightened their email authentication requirements. They increasingly expect senders to not only authenticate their mail with SPF and DKIM but also to implement DMARC with an enforcement policy. Emails that fail DMARC checks are far more likely to be sent to spam folders or rejected outright, regardless of their content or the sender’s reputation. This shift reflects a collective industry effort to create a safer email ecosystem, where trust is built upon verifiable sender identity. For any organization relying on email for marketing, transactional communications, or internal operations, DMARC is no longer an option but a baseline necessity for ensuring messages reach their intended recipients. Its adoption rate, while growing steadily, still indicates room for improvement, highlighting the ongoing educational effort required to bring all senders up to par with these essential security standards.
Mailjet’s Commitment to DMARC Best Practices
As a leading email service provider, Mailjet has long been at the forefront of advocating and facilitating DMARC compliance for its customers. The platform’s infrastructure and default settings are designed to align seamlessly with DMARC requirements, ensuring that senders can achieve optimal deliverability and security without undue complexity.
Mailjet’s approach emphasizes a "DKIM-first" default for DMARC alignment. When a user validates a sender domain within Mailjet, the platform automatically generates and provides the necessary DNS records for DKIM. By configuring these records, Mailjet signs all outgoing emails with the customer’s domain, establishing a verifiable cryptographic link between the email and the authorized sender. This means that if a customer uses their validated domain (e.g., yourdomain.com) as the visible "From" address, Mailjet ensures that the DKIM signature uses yourdomain.com (or an aligned subdomain), thereby achieving DKIM alignment for DMARC. This streamlined process makes DKIM alignment straightforward for the vast majority of Mailjet users, especially those sending from the same domain or an aligned subdomain they have authenticated within the platform.
The situation for SPF alignment with Mailjet’s default setup requires a slightly deeper understanding. By default, Mailjet uses a provider-owned bounce domain, such as bnc3.mailjet.com, as the "MAIL FROM" or Return-Path address for emails sent through its platform. While this configuration ensures proper bounce processing and SPF authentication for Mailjet’s own infrastructure, it means that the "MAIL FROM" domain (bnc3.mailjet.com) does not directly align with the customer’s visible "From" domain (yourdomain.com). Consequently, in Mailjet’s default setup, DMARC commonly passes through DKIM alignment, as DKIM alignment is typically sufficient. DMARC requires only one aligned authenticated identifier (either SPF or DKIM) to pass; it does not mandate both.
However, for customers who specifically desire SPF alignment in addition to DKIM, Mailjet offers a "Custom Return-Path" feature, typically available on paid plans. This feature allows senders to configure a subdomain within their organizational domain (e.g., bounces.yourdomain.com) to be used as the Return-Path. By setting up the appropriate DNS records (usually a CNAME pointing to Mailjet’s bounce infrastructure), the "MAIL FROM" domain can then be aligned with the customer’s organizational domain. When configured, SPF can support DMARC alignment under relaxed alignment (aspf=r), as the Return-Path uses a Mailjet-managed bounce subdomain within the customer’s organizational domain. Mailjet continues to handle bounce processing seamlessly behind the scenes. It is important for customers considering strict SPF alignment (aspf=s) to carefully review this setup, as strict alignment requires the MAIL FROM domain to exactly match the visible From domain, which may necessitate further configuration or may not be achievable with a delegated bounce subdomain.
Mailjet officials noted that their ongoing commitment to DMARC best practices ensures a seamless transition for customers navigating these updates. A spokesperson for Mailjet reiterated, "Our infrastructure is meticulously designed to empower senders to meet and exceed current email authentication standards. The formalization of DMARC by the IETF reinforces the importance of the principles we’ve championed for years. For most Mailjet customers already utilizing authenticated domains and correctly aligned identifiers, these new RFCs serve as a welcome clarification of existing best practices rather than a significant operational upheaval."
It is also crucial to note that the use of shared or dedicated IP addresses within Mailjet’s ecosystem does not alter DMARC’s fundamental alignment rules. Whether sending via shared or dedicated IPs, DMARC still evaluates the alignment between the visible "From" domain and the authenticated SPF or DKIM identifiers. Dedicated IPs primarily affect reputation management and deliverability troubleshooting, offering more control over the sending reputation, but they do not change the underlying DMARC authentication logic. Mailjet encourages customers to consult their updated documentation and support resources for the latest guidance on Custom Return-Path setup, as availability and specific configuration details may evolve over time.
Implications for Senders: What You Need to Do
The formalization of DMARC through the new RFCs reinforces, rather than alters, the core responsibilities of email senders. For Mailjet customers and indeed all email senders, the mantra remains: Authenticate, Align, and Monitor. This ongoing commitment is crucial for maintaining optimal deliverability, protecting brand reputation, and safeguarding against increasingly sophisticated email-based threats.
Here’s a practical guide for Mailjet senders to ensure full compliance and maximize the benefits of DMARC:
-
Validate All Sender Domains and Configure DKIM: The foundational step is to ensure that every domain used in your visible "From" addresses is properly validated within your Mailjet account. This includes configuring the necessary DKIM DNS records (typically CNAMEs provided by Mailjet) for each sending domain. Mailjet’s "DKIM-first" approach means that a correctly configured DKIM record will generally satisfy DMARC alignment requirements. Regularly audit your sender domains to ensure all are active and correctly authenticated.
-
Review "From" Domains for Alignment: Meticulously check that the "From" domain visible to your recipients (e.g.,
[email protected]) is either the exact domain or a properly aligned subdomain of the domain you have authenticated in Mailjet for DKIM. For example, if you authenticateyourcompany.com, sending from[email protected]or[email protected]will achieve DKIM alignment. Inconsistent or unauthenticated "From" domains are the primary cause of DMARC failures. -
Consider Custom Return-Path for SPF Alignment (Optional but Recommended): While DKIM alignment is often sufficient for DMARC to pass with Mailjet’s default setup, implementing a Custom Return-Path allows for SPF alignment as well. This provides a second layer of DMARC pass validation, offering redundancy and potentially strengthening your email’s authenticity signals. This feature, typically available on Mailjet’s paid plans, involves configuring a subdomain (e.g.,
bounces.yourdomain.com) as your Return-Path. Senders should carefully evaluate whether strict SPF alignment (aspf=s) is necessary for their specific needs, as it requires an exact match between the Return-Path domain and the visible "From" domain, which may require advanced configuration or not be fully compatible with a delegated bounce subdomain. -
Actively Monitor DMARC Reports: The reporting aspect of DMARC is invaluable. Regularly review both aggregate (RUA) and forensic (RUF) reports. Aggregate reports provide a broad overview of your email traffic, showing which emails passed and failed DMARC, and why. This helps identify legitimate sending sources that might be misconfigured, as well as unauthorized senders attempting to spoof your domain. Forensic reports offer more detailed, message-level insights into failures, aiding in troubleshooting and identifying specific abuse patterns. Tools and services exist to help parse these XML reports into user-friendly dashboards, making monitoring manageable.
-
Progressively Implement DMARC Policies: If you haven’t already, gradually move your DMARC policy from
p=none(monitoring only) top=quarantine(sending failed emails to spam/junk folders) and eventually top=reject(blocking failed emails outright). This phased approach allows you to gain confidence in your DMARC configuration and identify any legitimate mail streams that might be failing before enforcing stricter policies. The ultimate goal should bep=rejectto fully protect your domain from spoofing.
These steps are not merely technical checkboxes but integral components of a robust email security strategy. The formalized DMARC standard provides a clear framework, and adherence to these practices ensures that Mailjet customers can continue to send emails with confidence, knowing their messages are authenticated, delivered, and trusted.
Broader Industry Impact and Future Outlook
The formalization of DMARC through RFCs 9989, 9990, and 9991 is more than a technical update; it represents a critical maturation of the email ecosystem. This move by the IETF significantly strengthens the global email infrastructure by providing a definitive, unambiguous standard for sender authentication. It signals to the entire industry – from small businesses to multinational corporations, and from email service providers to cybersecurity firms – that DMARC is the established baseline for email authenticity and security.
The broader impact will be multifaceted. Firstly, it will foster greater interoperability and consistency across different email platforms. With a clear, updated specification, developers and system administrators will have a singular, authoritative source of truth for DMARC implementation, reducing discrepancies and potential vulnerabilities arising from varied interpretations of the older RFC. This consistency is vital for a global communication medium like email.
Secondly, the formalization is likely to accelerate DMARC adoption, particularly among organizations that may have been hesitant due to the perceived "draft" status or evolving nature of "DMARCbis." With the standard now definitively set, there’s less reason to delay implementation. This increased adoption will, in turn, contribute to a safer internet environment by making it significantly harder for phishers and spoofers to operate. As more domains implement DMARC with enforcement policies (p=quarantine or p=reject), the overall volume of fraudulent email reaching inboxes will decrease, leading to fewer successful cyberattacks and enhanced user trust.
Thirdly, this robust foundation opens the door for future innovations in email security. DMARC, SPF, and DKIM form the bedrock upon which newer protocols and security enhancements can be built. A stable, well-defined DMARC standard allows the IETF and other industry bodies to focus on the next generation of email security challenges, knowing that the fundamental sender authentication mechanism is solid. This could include further advancements in message integrity, privacy, or even post-quantum cryptographic protections for email.
Finally, the formalization underscores the enduring importance of open standards and collaborative development within the IETF. The process from DMARC’s inception to its current, refined state demonstrates how a community-driven approach can effectively address complex technical and security challenges impacting billions of users daily.
In conclusion, the transition from "DMARCbis" to a fully ratified DMARC is a testament to the protocol’s indispensable role in modern email security. It is not a call for reinvention but a reinforcement of critical best practices that have become essential for anyone sending or receiving email. For Mailjet customers and the wider internet community, this update signifies a more secure, more trustworthy email future, built on the stable and clear foundation of a mature DMARC standard. The expectation from mailbox providers is clear: authenticated, aligned mail is the baseline. And with these new RFCs, the path to achieving that baseline has never been clearer.
