DMARC RFC 9989, 9990 and 9991 officially replace RFC 7489

News

The new DMARC RFCs are here. Understand the changes in RFC 9989, 9990, and 9991, how they affect your records, and how to prepare your domain for compliance.

by Ahona Rudra

Last Updated:
4 min read
DMARC RFC 9989, 9990 and 9991 officially replace RFC 7489
Table Of Contents

After years of work inside the IETF DMARC working group, the long-anticipated update to the DMARC standard has been published. Three new documents, RFC 9989, RFC 9990, and RFC 9991, now formally replace the original RFC 7489 from 2015. Although not an official term, the RFCs were together known in the community as DMARCbis, and are now published as the updated DMARC specification with the same version number.

The new specifications were published in May 2026 and moved DMARC from its earlier Informational status to a Proposed Standard on the IETF Standards Track. This is a meaningful jump, since it gives DMARC a stronger and more formal place in the Internet standards stack.

What Each RFC Covers

The DMARC specification has been split into three focused documents rather than one large file. RFC 9989 contains the core protocol, including policy evaluation, alignment rules, and record processing. RFC 9990 defines the aggregate (RUA) reporting format. RFC 9991 covers failure reports, often called forensic reports.

Your Existing DMARC Record Still Works

One of the most important points for domain owners is that this is not a breaking change. The protocol identifier stays the same, so records still begin with v=DMARC1. You do not need to rebuild your setup or republish all your records overnight.

If you want a refresher on how records are structured, our guide on DMARC tags walks through each field.

Key Technical Changes

A few updates stand out:

Technical-Changes

  1. Public Suffix List replaced by DNS Tree Walk: Receivers no longer rely on the externally maintained Public Suffix List to figure out the Organizational Domain. Instead, they walk up the DNS hierarchy and look for _dmarc records at each level. This removes a third-party dependency and improves accuracy for complex domain structures.
  2. New tags added: np, psd, and t: The np tag sets a policy for non-existent subdomains, which helps close a long-standing subdomain spoofing gap. The psd tag formally supports Public Suffix Domain operators such as .bank and .gov. The t tag is a simple testing flag, with t=y for test mode and t=n for full enforcement.
  3. Three tags removed: pct, rf, and ri: The pct tag, which was meant to allow gradual rollout, was inconsistently implemented across receivers and has been retired in favour of the cleaner t flag. You can read more about this shift in our earlier note on why t replaces pct. The rf and ri tags were rarely used and have also been dropped.
  4. Clearer guidance for mailing lists and forwarding: Indirect mail flows still break SPF and DKIM alignment, and the new spec acknowledges this openly. It advises against aggressive p=reject policies where mailing list traffic is common, which reflects how email actually behaves in the real world.
  5. Better defined conformance: The new text spells out what “full DMARC participation” means for both senders and receivers, which should reduce the patchy implementations that have been a problem for years.

What Domain Owners Should Do

You do not need to panic-edit your DNS, but it is a good moment to review your setup. Check whether your records still rely on pct, rf, or ri, and plan to clean them up. If you operate subdomains, the new np tag is worth exploring as a defence against spoofing of non-existent subdomains. PSD operators should look at how the new tree walk and psd tag affect their domains.

For a deeper walkthrough of the changes and how to prepare your records, see our full guide on DMARCbis explained.

Make Sure Your DMARC Platform Is Ready

Not every tool on the market has caught up with the new standards yet, and that gap matters. If your platform cannot read the new tags or process reports in the updated format, you lose visibility right when the protocol is evolving.

PowerDMARC is already aligned with the new specifications and supports:

  • RFC 9989, 9990, 9991 compatible record generation
  • Parsing of the new np, psd, and t tags
  • RFC 9990 aggregate report ingestion and reporting
  • DNS Tree Walk based organizational domain handling
  • Updated processing behaviour that reflects the new conformance rules

If you want to see how your current record holds up against the new standard, run it through our free DMARC checker and review what needs cleaning up.

Final Words

The updated RFCs are not a new protocol. It is the same DMARC, rewritten more clearly and lifted to standards-track status. After more than a decade of real-world deployment, the spec now reflects how email actually works, including its messy parts like forwarding and mailing lists.

For anyone responsible for domain security, the publication of RFCs 9989, 9990, and 9991 is a good prompt to audit your records and make sure your tooling is ready for the new tags and the DNS Tree Walk approach.

CTA

Latest posts by Ahona Rudra (see all)
Last Updated:
PowerDMARC Named Leader in DMARC Software for the 12th Consecutive Quarter in...g2-summerwhat-is-email-forwardingWhat is Email Forwarding? How It Works and Best Practices