HomeNewsIETF Publishes RFC 9989 DMARC Standard in May 2026
Email Deliverability

IETF Publishes RFC 9989 DMARC Standard in May 2026

IETF officially published RFC 9989 in May 2026, upgrading DMARC to Proposed Standard status. The update improves spoofing prevention and email authentication with clarified terminology and stronger subdomain protection.

J

James Chen

May 22, 2026

HomeNewsIETF Publishes RFC 9989 DMARC Standard in May 2026
Email Deliverability

IETF Publishes RFC 9989 DMARC Standard in May 2026

IETF officially published RFC 9989 in May 2026, upgrading DMARC to Proposed Standard status. The update improves spoofing prevention and email authentication with clarified terminology and stronger subdomain protection.

J

James Chen

May 22, 2026

6 min read
6 min read
Share:
Share:
#Compliance#DKIM#SPF
#Compliance#DKIM#SPF
Illustration for new_technology: IETF Publishes RFC 9989 DMARC Standard in May 2026
Illustration for new_technology: IETF Publishes RFC 9989 DMARC Standard in May 2026

Stay in the loop

Get the latest posts delivered straight to your inbox. No spam, unsubscribe anytime.

On May 20, 2026, the Internet Engineering Task Force published RFC 9989, formally replacing the 2015 DMARC specification and moving the protocol from an informational document to an official Internet Standards Track designation. For businesses, marketers, and growth teams, this shift carries direct implications: the rules governing how your emails are authenticated, delivered, and protected from impersonation just received their most significant update in over a decade.

What RFC 9989 Actually Changes

RFC 9989 is a Standards Track document published in May 2026. It obsoletes both RFC 7489 and RFC 9091, and is a product of the IETF community with approval from the Internet Engineering Steering Group. The update is part of a three-document release. The updated specification, known as DMARCbis, is split into three dedicated documents: RFC 9989 covers the core DMARC mechanism, and RFC 9990 governs aggregate reporting.

This is not a major redesign. The protocol works largely the same way, DMARC records still begin with v=DMARC1, and most domain owners will not need to change existing policies. RFC 9989 primarily clarifies terminology, tightens definitions, and standardizes behavior that had previously been implemented inconsistently.

The most technically significant change is how receiving servers determine your organizational domain. RFC 9989 replaces the Public Suffix List approach with a DNS Tree Walk algorithm, which affects both DMARC policy discovery and identifier alignment under relaxed settings. Under RFC 7489, implementations used a Public Suffix List to determine the organizational domain, but the RFC did not mandate a specific source or update strategy, resulting in inconsistent behavior across implementations.

Despite how comprehensive this update is, DMARCbis introduces no breaking changes. The new tags and revised rules are built so that servers running the legacy standard can safely ignore them without errors.

Why Formalization Matters for Email Deliverability

The move to Standards Track is not just administrative. With RFC 9989, DMARC has officially achieved IETF Proposed Standard status. In practice, this means mailbox providers worldwide will interpret and implement the protocol more consistently, with clearer definitions, better examples, and more actionable guidance for administrators.

Stay in the loop

Get the latest posts delivered straight to your inbox. No spam, unsubscribe anytime.

On May 20, 2026, the Internet Engineering Task Force published RFC 9989, formally replacing the 2015 DMARC specification and moving the protocol from an informational document to an official Internet Standards Track designation. For businesses, marketers, and growth teams, this shift carries direct implications: the rules governing how your emails are authenticated, delivered, and protected from impersonation just received their most significant update in over a decade.

What RFC 9989 Actually Changes

RFC 9989 is a Standards Track document published in May 2026. It obsoletes both RFC 7489 and RFC 9091, and is a product of the IETF community with approval from the Internet Engineering Steering Group. The update is part of a three-document release. The updated specification, known as DMARCbis, is split into three dedicated documents: RFC 9989 covers the core DMARC mechanism, and RFC 9990 governs aggregate reporting.

This is not a major redesign. The protocol works largely the same way, DMARC records still begin with v=DMARC1, and most domain owners will not need to change existing policies. RFC 9989 primarily clarifies terminology, tightens definitions, and standardizes behavior that had previously been implemented inconsistently.

The most technically significant change is how receiving servers determine your organizational domain. RFC 9989 replaces the Public Suffix List approach with a DNS Tree Walk algorithm, which affects both DMARC policy discovery and identifier alignment under relaxed settings. Under RFC 7489, implementations used a Public Suffix List to determine the organizational domain, but the RFC did not mandate a specific source or update strategy, resulting in inconsistent behavior across implementations.

Despite how comprehensive this update is, DMARCbis introduces no breaking changes. The new tags and revised rules are built so that servers running the legacy standard can safely ignore them without errors.

Why Formalization Matters for Email Deliverability

The move to Standards Track is not just administrative. With RFC 9989, DMARC has officially achieved IETF Proposed Standard status. In practice, this means mailbox providers worldwide will interpret and implement the protocol more consistently, with clearer definitions, better examples, and more actionable guidance for administrators.

For marketers, consistent implementation across providers translates directly to more predictable inbox placement. The deliverability stakes here are significant. According to Digital Applied's 2026 email marketing analysis, the inbox placement gap between authenticated and unauthenticated senders is 45 percentage points. Fully authenticated domains (SPF + DKIM + DMARC) achieve a 2.7x higher likelihood of inbox placement compared to unauthenticated emails.

Email marketing delivers an average return of $36 to $42 for every dollar spent, consistently outperforming paid ads, social media, and SEO as the highest-ROI marketing channel. But that return depends entirely on whether your emails actually reach the inbox.

The Enforcement Gap That Still Needs Closing

Despite the protocol's maturity, adoption without enforcement remains the dominant pattern. The EasyDMARC 2026 DMARC Adoption Report found that global DMARC adoption has reached 52.1% of the top 1.8 million domains, up from 47.7% in 2025. But of the 937,931 domains with valid DMARC records, more than half remain stuck at p=none, the monitoring-only policy that provides zero protection against spoofing.

DMARC pass rates hit 88.99% globally in Q1 2026, up from 86.42% in Q1 2025, but pass rate and enforcement policy are different things. DMARC adoption among email-sending domains sits at 64%, meaning over a third still have no DMARC policy at all.

The major mailbox providers have already drawn a hard line. Google, Yahoo (February 2024), Microsoft (May 2025), and La Poste (September 2025) now require SPF, DKIM, and DMARC authentication for bulk email senders. Non-compliant emails will be rejected or sent to spam. As of November 2025, Gmail actively rejects non-compliant emails at the SMTP level.

The business consequence of ignoring this is measurable. Microsoft Office 365 inbox placement dropped 26.7 percentage points year-over-year, and Outlook/Hotmail dropped 22.6 percentage points. Organizations sending 1 million or more emails monthly experienced a 22.35 percentage point decline in inbox placement, dropping to just 27.63%.

What Business Owners and Marketers Should Do Now

The RFC 9989 publication closes a long-standing ambiguity in how DMARC should behave across different mail systems. For practical purposes, the protocol you implement today looks the same as before, but the enforcement and reporting infrastructure is now built on a stable, unambiguous foundation.

The gap to close is enforcement, not just setup. Moving from p=none to p=quarantine or p=reject is where the protection and deliverability benefits actually materialize. One of the most compelling findings in the EasyDMARC 2025 report is the direct correlation between national DMARC mandates and phishing outcomes. The US, which has government DMARC mandates for federal agencies, saw successful phishing email delivery drop from 69% to 14%. The Netherlands, which lacks enforcement mandates, saw phishing vulnerability increase to 97%.

For marketers, consistent implementation across providers translates directly to more predictable inbox placement. The deliverability stakes here are significant. According to Digital Applied's 2026 email marketing analysis, the inbox placement gap between authenticated and unauthenticated senders is 45 percentage points. Fully authenticated domains (SPF + DKIM + DMARC) achieve a 2.7x higher likelihood of inbox placement compared to unauthenticated emails.

Email marketing delivers an average return of $36 to $42 for every dollar spent, consistently outperforming paid ads, social media, and SEO as the highest-ROI marketing channel. But that return depends entirely on whether your emails actually reach the inbox.

The Enforcement Gap That Still Needs Closing

Despite the protocol's maturity, adoption without enforcement remains the dominant pattern. The EasyDMARC 2026 DMARC Adoption Report found that global DMARC adoption has reached 52.1% of the top 1.8 million domains, up from 47.7% in 2025. But of the 937,931 domains with valid DMARC records, more than half remain stuck at p=none, the monitoring-only policy that provides zero protection against spoofing.

DMARC pass rates hit 88.99% globally in Q1 2026, up from 86.42% in Q1 2025, but pass rate and enforcement policy are different things. DMARC adoption among email-sending domains sits at 64%, meaning over a third still have no DMARC policy at all.

The major mailbox providers have already drawn a hard line. Google, Yahoo (February 2024), Microsoft (May 2025), and La Poste (September 2025) now require SPF, DKIM, and DMARC authentication for bulk email senders. Non-compliant emails will be rejected or sent to spam. As of November 2025, Gmail actively rejects non-compliant emails at the SMTP level.

The business consequence of ignoring this is measurable. Microsoft Office 365 inbox placement dropped 26.7 percentage points year-over-year, and Outlook/Hotmail dropped 22.6 percentage points. Organizations sending 1 million or more emails monthly experienced a 22.35 percentage point decline in inbox placement, dropping to just 27.63%.

What Business Owners and Marketers Should Do Now

The RFC 9989 publication closes a long-standing ambiguity in how DMARC should behave across different mail systems. For practical purposes, the protocol you implement today looks the same as before, but the enforcement and reporting infrastructure is now built on a stable, unambiguous foundation.

The gap to close is enforcement, not just setup. Moving from p=none to p=quarantine or p=reject is where the protection and deliverability benefits actually materialize. One of the most compelling findings in the EasyDMARC 2025 report is the direct correlation between national DMARC mandates and phishing outcomes. The US, which has government DMARC mandates for federal agencies, saw successful phishing email delivery drop from 69% to 14%. The Netherlands, which lacks enforcement mandates, saw phishing vulnerability increase to 97%.

For teams not yet at enforcement, the path is straightforward: audit your current SPF, DKIM, and DMARC records, confirm alignment across all sending sources, review your DMARC aggregate reports, and move your policy progressively toward rejection. The RFC 9989 update improves DMARC interoperability, reporting clarity, internationalization support, and security guidance to strengthen phishing and spoofing protection for domains worldwide. The standard is now formal. The question is whether your domain is ready to meet it.

No comments yet. Be the first!

Leave a comment

Comments are reviewed before publishing.

For teams not yet at enforcement, the path is straightforward: audit your current SPF, DKIM, and DMARC records, confirm alignment across all sending sources, review your DMARC aggregate reports, and move your policy progressively toward rejection. The RFC 9989 update improves DMARC interoperability, reporting clarity, internationalization support, and security guidance to strengthen phishing and spoofing protection for domains worldwide. The standard is now formal. The question is whether your domain is ready to meet it.

No comments yet. Be the first!

Leave a comment

Comments are reviewed before publishing.

Breaking

Related news

Illustration for new_technology: Gmail's New RETVec AI Boosts Spam Detection by 38%
Email DeliverabilityMay 22, 2026 6 min

Gmail's New RETVec AI Boosts Spam Detection by 38%

Google deployed RETVec, an AI spam filter that detects obfuscated spam, improving detection 38% while reducing false positives 19.4%. Here's what email marketers need to know.

Breaking

Related news

Illustration for new_technology: Gmail's New RETVec AI Boosts Spam Detection by 38%
Email DeliverabilityMay 22, 2026 6 min

Gmail's New RETVec AI Boosts Spam Detection by 38%

Google deployed RETVec, an AI spam filter that detects obfuscated spam, improving detection 38% while reducing false positives 19.4%. Here's what email marketers need to know.

R
Rachel Torres
R
Rachel Torres
Illustration for industry_trend: Gmail Spam Filter Collapse Jams 1.8B Inboxes
Email DeliverabilityMay 22, 2026 6 min

Gmail Spam Filter Collapse Jams 1.8B Inboxes

Gmail's spam filters collapsed on Saturday, flooding 1.8 billion inboxes with promotions while blocking legitimate mail. Here's what happened.

RRachel Torres
Illustration for industry_trend: Gmail Spam Filter Collapse Jams 1.8B Inboxes
Email DeliverabilityMay 22, 2026 6 min

Gmail Spam Filter Collapse Jams 1.8B Inboxes

Gmail's spam filters collapsed on Saturday, flooding 1.8 billion inboxes with promotions while blocking legitimate mail. Here's what happened.

RRachel Torres
Illustration for new_technology: Microsoft Account Email Hijacked for Spam in May 2026
Email DeliverabilityMay 22, 2026 6 min

Microsoft Account Email Hijacked for Spam in May 2026

Scammers have exploited Microsoft's official notification address for months to bypass email filters. Here's what email marketers and security teams need to know.

MMarcus Webb
Illustration for new_technology: Microsoft Account Email Hijacked for Spam in May 2026
Email DeliverabilityMay 22, 2026 6 min

Microsoft Account Email Hijacked for Spam in May 2026

Scammers have exploited Microsoft's official notification address for months to bypass email filters. Here's what email marketers and security teams need to know.

MMarcus Webb