DMARC's New 'NP' Tag Fails with DNSSEC
The IETF's updated DMARC specification introduces a new 'np' tag to handle non-existent subdomains, but its definition clashes with RFC 9824, causing the tag to malfunction with DNSSEC domains. This affects major DNS providers like Cloudflare and AWS Route 53, with no agreed-upon solution.
Key points
- The IETF published an updated DMARC specification in May 2026, introducing a new 'np' tag for non-existent subdomain policy.
- The 'np' tag definition clashes with RFC 9824, causing it to fail with DNSSEC domains.
- Major DNS providers like Cloudflare, NS1, AWS Route 53, and Azure are affected.
- The issue was acknowledged by the IETF working group, but no solution has been agreed upon.
- DNSSEC usage is not widespread, but the issue impacts all domains using DNSSEC with the affected providers.
DMARC's New 'NP' Tag Fails with DNSSEC
The IETF's updated DMARC specification has introduced a new 'np' tag to handle non-existent subdomains, but its definition clashes with RFC 9824. This causes the tag to malfunction with DNSSEC domains, affecting major DNS providers like Cloudflare and AWS Route 53.
The issue was acknowledged by the IETF working group, but no solution has been agreed upon. DNSSEC usage is not widespread, but the issue impacts all domains using DNSSEC with the affected providers.
The 'np' tag is part of the updated DMARC specification, which was published in May 2026. The specification consists of three documents, including RFC 9989, which introduces the new 'np' tag. However, the definition of 'non-existent domain' in RFC 9989 clashes with RFC 9824, causing the 'np' tag to fail.
The affected DNS providers include Cloudflare, NS1, AWS Route 53, and Azure. The issue has significant implications for domains using DNSSEC, as it can lead to security vulnerabilities and email delivery issues.
Sources
The WireByte editorial team synthesises technology news from multiple primary sources, verifies the facts, and links every source. Articles are produced with AI assistance and reviewed under our editorial policy.