Next generation DMARC: what’s changing and why it matters

Key takeaways

• New standards require a careful review of your published DMARC policies.
• Not only is policy inheritance behavior changing significantly, but so is the determination of the “organizational domain.”
• Because sender requirements are tightening, organizations are being pushed toward full DMARC enforcement and better visibility into every email source.

Email authentication is entering its next phase. DMARC, long a cornerstone for domain protection and anti-phishing, is being updated through an emerging specification. These changes aim to close long-standing gaps. They also aim to improve alignment with modern email ecosystems and make enforcement more reliable at scale.

For security and product leaders, this isn’t just a standards update. It’s an opportunity to strengthen domain protection, reduce impersonation risk, and improve visibility. Here’s what you need to know.

What Is DMARC RFC 9989?

The new specification builds on the original DMARC RFC 7489 but refines ambiguous behaviors, standardizes interpretations across receivers, and introduces improvements based on a decade of operational experience.

While the core principles of SPF/DKIM alignment and DMARC policy enforcement remain intact, RFC 9989 advances DMARC by focusing on:

• Improved reporting with clearer expectations for consistency, structure, and provider interpretation 
• Stronger protection against subdomain spoofing, including more precise handling of organizational domains and subdomain policy application 
• Standardized organizational domain discovery, reducing reliance on inconsistent or provider-specific lookup behavior 
• Clearer alignment logic, especially around relaxed versus strict alignment handling 
• More consistent treatment of indirect mail flows, including forwarding, mailing lists, and other intermediated delivery paths 
• Reduced implementation ambiguity across mailbox providers, senders, and security vendors

What Is DMARC Aggregate Reporting RFC 9990?

DMARC RFC 9990 defines aggregate reporting, the reporting type commonly associated with the RUA tag.

Key points:

• Aggregate reporting is now its own RFC. RUA reporting was carved out of the main DMARC specification so it can evolve separately from RFC 9989. 
• The report format is cleaner and more consistent. RFC 9990 formalizes the XML namespace and schema, making reports easier to parse and normalize. 
• Reports include new DMARC RFC 9989 context. New fields such as discovery method, np, and testing reflect changes introduced in RFC 9989. 
• Reports are more operationally useful. DKIM selectors are now required when DKIM results are reported, report IDs are formally specified, and each report covers one DMARC Policy Domain. 
• PSD reporting is included. Public Suffix Domain reporting, previously experimental, is now part of the aggregate reporting standard.

What Is DMARC Forensic Reporting RFC 9991?

DMARC RFC 9991 defines failure reporting, the reporting type associated with the RUF tag.

Key points:

• Failure reporting is now its own RFC. RUF reporting was separated from the main DMARC specification and published as a dedicated Standards Track document. 
• RUF reports provide message-level detail. Unlike aggregate reports, failure reports are designed to help investigate specific messages that fail DMARC. 
• The format is more clearly defined. RFC 9991 updates the ARF-based failure report structure and defines required and optional fields for DMARC failures. 
• External destinations must be verified. Third-party RUF destinations use the same general verification model as aggregate reporting. 
• Privacy and abuse controls are emphasized. Because RUF reports can expose headers, message content, or personal data, RFC 9991 highlights careful use, redaction, secure transport, and rate limiting.

Key Changes You Should Pay Attention To

DMARC RFC 9989 introduces more consistent policy evaluation by reducing the variability in how mailbox providers interpret and enforce DMARC policies. This results in more predictable outcomes for senders and minimizes the common issue where authentication behaves differently across receiving environments.

It also refines alignment definitions, including clearer guidance on how organizational domains are matched, how subdomain policies are inherited, and how alignment should be evaluated in complex email flows. These clarifications are particularly important for large enterprises that manage multiple domains and third-party sending services.

Reporting is another area of improvement. DMARC RFC 9989 enhances both aggregate and forensic reporting. It does this by standardizing formats and expectations, which improves interoperability across providers. As a result, the frequency of malformed or inconsistent reports is reduced, enabling more effective automation and analysis.

The specification also addresses long-standing challenges with indirect mail flows. Forwarding services and mailing lists have historically disrupted DMARC authentication. DMARC RFC 9989 introduces better guidance for intermediaries. It also improves the likelihood that authentication signals are preserved through these flows.

Finally, DMARC RFC 9989 strengthens support for internationalization. As adoption of internationalized domain names continues to grow, the updated specification provides clearer handling of non-ASCII domains. This ensures more reliable authentication across globalized email ecosystems.

Why this Matters Now

Major mailbox providers such as Google, Yahoo, Apple, and Microsoft have been tightening sender requirements and raising expectations for authentication and enforcement. Organizations are increasingly being pushed to adopt stricter DMARC policies, move to full enforcement at the reject level, ensure proper alignment across both SPF and DKIM, and establish comprehensive visibility into all systems that send email on their behalf.

DMARC RFC 9989 will accelerate this shift. Not only will it remove longstanding ambiguities in the standard, but it will also drive more consistent interpretation across receivers. Ultimately, these changes will raise the bar for compliance and operational maturity. Authentication failures will become more visible and less dependent on provider behavior. Configurations that ‘worked’ due to inconsistent enforcement may begin to fail because subdomain policy gaps will no longer be masked by receiver variability.

Where Organizations Struggle

Despite broad adoption of DMARC, many organizations continue to face operational challenges that limit its effectiveness. A common issue is incomplete visibility into all email sources, which makes it difficult to identify and properly authenticate every system that sends messages on behalf of the domain. This lack of visibility often delays or prevents organizations from confidently progressing to full enforcement of a reject policy.

Complexities also arise with third-party senders, where ensuring proper SPF and DKIM alignment across multiple vendors can be difficult to manage. In addition, many teams struggle to interpret DMARC reports and translate them into actionable steps, which hinders ongoing optimization and response. Forwarding scenarios and SaaS-driven email flows further complicate matters by introducing authentication breakage that’s not always straightforward to resolve.

These challenges highlight the need for a platform-based approach that provides centralized visibility, analysis, control, as well as the ability to view your DMARC policy posture from both legacy DMARC and future DMARC RFC 9989 perspectives.

How Proofpoint Helps

Proofpoint provides an integrated approach to DMARC management that aligns directly with DMARC RFC 9989.

Full sender discovery and inventory

Proofpoint identifies all services sending on your behalf, legitimate or otherwise, so you can:

• Eliminate shadow IT senders 
• Ensure proper SPF/DKIM alignment 
• Reduce spoofing exposure 

Guided path to enforcement

Move confidently from ‘p=none → quarantine → reject’ with:

• Risk-based recommendations 
• Simulation and impact analysis 
• Controlled rollout strategies 

Advanced reporting and analytics

Transform raw DMARC reports into actionable intelligence:

• Normalized aggregate reporting 
• Threat attribution and source classification 
• Executive-ready dashboards 

Third-party sender management

Proofpoint simplifies onboarding and governance of SaaS/email vendors:

• Alignment validation 
• Policy enforcement 
• Continuous monitoring 

Protection beyond authentication

DMARC alone doesn’t stop all impersonation. Proofpoint layers:

• Display name spoofing detection 
• Lookalike domain protection 
• BEC and advanced phishing defense 

Supporting DMARC RFC 9989 and future changes

As DMARC continues to evolve, Proofpoint ensures:

• Rapid alignment with new standards 
• Consistent policy interpretation across environments 
• Reduced operational overhead for security teams

 What Organizations Should Plan for in 2026

Start to develop your plan for reviewing your own DMARC configurations to be ready for a shift to DMARC RFC 9989:

1. Review the DMARC RFC 9989 standard 

• An overview of changes from DMARC RFC 7489 are presented in this summary. 

2. Revalidate your DMARC policy structure

• Audit organizational vs. subdomain policies
• Identify unintended inheritance gaps
• Ensure alignment with desired enforcement outcomes

3. Inventory all sending sources

• Identify unknown or unauthorized senders
• Validate SPF/DKIM alignment across all vendors
• Eliminate or remediate shadow IT

4. Prepare for stricter alignment outcomes

• Test current pass/fail rates under consistent evaluation
• Simulate enforcement scenarios (quarantine/reject)

5. Upgrade reporting and analysis capabilities

• Ensure your tooling can handle standardized DMARC RFC 9989 reports
• Automate anomaly detection and trend analysis

6. Validate indirect mail flows

• Test forwarding, mailing lists, and SaaS workflows

Final Thoughts

DMARC RFC 9989 will not radically change the framework, but it will eliminate excuses for inconsistent implementation and accelerate adoption of DMARC best practices. In the AI era, where attacks are scaling and moving at machine speed, stopping threats before they enter your organization has become more important than ever. As attackers increasingly leverage AI to create convincing impersonation campaigns, email authentication plays a critical role by providing effective controls to prevent domain spoofing and other impersonation-based threats.

Organizations that modernize their DMARC posture now will be better positioned to meet evolving sender requirements, ensure business-critical email is delivered throughout the transition, and strengthen their defenses against increasingly sophisticated attacks. As an integrated platform designed to protect modern communications, Proofpoint Collaboration Security helps organizations establish trusted digital identities, enforce email authentication controls, and reduce the risk of impersonation threats across email and collaboration channels.

Learn More

Visit Email Fraud Defense to learn how Proofpoint can help you simplify DMARC deployment, improve email authentication, and accelerate your journey to enforcement.

To learn how Proofpoint helps organizations defend against AI-scaled threats and advanced impersonation attacks across email and digital communications, visit Proofpoint Collaboration Security or contact your Proofpoint representative today.