Hi, having followed the IETF work around DMARCbis, I've published a list of changes in the new DMARC RFCs compared to the original spec from 2015.

I've also included some context and excerpts from the working group debate, which shows why some decisions may be surprising:

https://dmarcwise.io/blog/new-dmarc-2026

I'm personally still skeptical that changes like replacing pct with t are worth it, as we'll now have to use both to ensure compatibility with both specs, likely forever.

I also feel there may not be enough practical guidance around the use of the new psd tag, especially psd=n vs psd=u. The definition of the tag tells you to go read the tree walk algorithm, which isn't as straightforward as the PSL (nobody's going to read 40+ paragraphs of text).

What do you think?

https://preview.redd.it/91sawbw76h2h1.jpg?width=1786&format=pjpg&auto=webp&s=e7b36c3b4a1a00b5f5c515144548708ff27f5ac9

I was checking BIMI/VMC validation and noticed that Bank of America’s VMC certificate appears to have expired.

The cert shows an expiration date of May 16, 2026.

Subject: Bank of America Corporation
Issuer: DigiCert Verified Mark RSA4096 SHA256 2021 CA1

Obviously this is not some catastrophic security incident, but it is still interesting. BIMI usually gets treated like a one-time setup project, while the VMC certificate needs the same kind of lifecycle monitoring as TLS certs.

Kind of surprising to see this from a bank of this size.

Anyone else seeing expired VMCs from large brands?

After years of work from the IETF working group, the DMARC specification was updated. Three new RFCs are now officially published, replacing the old RFC 7489 from 2015:

• Main document: https://datatracker.ietf.org/doc/html/rfc9989
• Aggregate reporting: https://datatracker.ietf.org/doc/html/rfc9990
• Failure reporting: https://datatracker.ietf.org/doc/html/rfc9991

DMARC is now an IETF Proposed Standard.

The Appendix C of the main document contains a list of changes: https://datatracker.ietf.org/doc/html/rfc9989#name-changes-from-rfc-7489

The main changes are:

• A general restructuring of the specification, that is now easier to read, with better examples, more guidelines and clearer definitions.
• A new section specifies the “conformance requirements for full DMARC participation”, helping domain owners and email receivers determine if they’re following the best practices around DMARC.
• In the DMARC policy record, some tags were removed (pct, rf, ri) and some were added (np, psd, t). Note that this is not considered a breaking change so there is no such thing as DMARC2: DMARC records will continue to start with the v=DMARC1 string.
• In the context of determining the Organizational Domain, both for DMARC record discovery and identifier alignment, the Public Suffix List mechanism has been replaced with the more flexible (and complex) DNS Tree Walk algorithm.
• The above changes allow for better support of Public Suffix Domains (PSD), which previously couldn’t fully participate in DMARC.
• The ”indirect email flows” issue, i.e. forwarding and mailing lists breaking DMARC alignment, remains unsolved, with the new specification now discouraging a reject policy when there’s a chance of mailing lists being used as recipients in an organization.
• Aggregate reporting has been made stricter and the XML report format has been updated to incorporate the new record tags and acknowledge real-world practices. Similar small updates were made to the failure reporting specification, including a new section acknowledging the privacy implication, but it's otherwise unchanged.

https://preview.redd.it/2nfkdzj5d82h1.png?width=2048&format=png&auto=webp&s=f3d1cb6a83b0980f428fbef62e3ab9b793274d76

SPF + DKIM + DMARC at p=reject is supposed to close the door. Our support@ inbox is not getting the memo.

Setup:

• SPF is strict, only our own IPs
• DKIM on all outbound
• DMARC p=reject

Still getting NDRs for emails we never sent.

It's backscatter

The config isn't the issue. The issue is ancient mail servers (think government agencies, university IT, budget shared hosting) running Exim or Postfix builds nobody's looked at since Obama's first term.

Spammer forges our From address. The old server accepts the message without touching SPF or DMARC during the SMTP session. Then discovers the recipient doesn't exist. Then dutifully sends a bounce to the From address. That's us now.

Not malicious. Just genuinely out of date.

Options are limited

You can't reach into someone else's mail server config. What you can do: filter NDRs hard on your end, add the bounce patterns to your spam rules, and make peace with the fact that some of this just comes with having a domain.

Modern cloud providers are getting better about rejecting fakes at the SMTP layer, so the problem should shrink over time. Eventually. Maybe.

Curious if anyone's found filtering rules that actually work here.

I have a relatively new domain, using Cloudflare as the domain, DNS, and DMARC manager. Using Google Workspace (Gmail) for email. Currently have p=none as the domain is new and consequently low reputation.

I'm trying to interpret the Cloudflare DMARC management reports. For example, we have very high DMARC pass rate from Google and 100% failure with Amazon.

https://preview.redd.it/4663hqcx6s1h1.png?width=2040&format=png&auto=webp&s=e5ce5c3252321f1ed25dc673a6743a21e06bd7ea

Clicking on the Amazon.com link gives me the below list. Not sure how to interpret this? We don't use Amazon for any email service that I know of. I'm also curious about the Reporter column "Enterprise Outlook." Could this be an employee trying to use the Outlook desktop client?

https://preview.redd.it/52lz44887s1h1.png?width=1690&format=png&auto=webp&s=d28a83223a86c2910662c5a922eb6a5478e7f095

The Google pass rate is very high, but even there, is there any troubleshooting I can do to find out why there are a few emails that fail DMARC?

Guys, this has to stop.

Every post where someone is asking for implementation help with a tool they are already using, 70-80% of comments are telling the person to "just use X or Y product".

Let me be clear - This subreddit is not a space to advertise your SaaS.

We have a FAQ that contains a list of all solutions available - if someone legitimately needs this guidance, link them to the FAQ.

Hey everyone - setting up cold outbound for our early-stage startup (4 domains ready to go) and I'm hitting a wall trying to understand how all the pieces fit together. Non-technical founder here so apologies if these are basic questions.

Background:
We have 4 domains registered specifically for outbound and sitting in Cloudflare. Planning to launch cold outbound this summer. I've been told we need to "warm up the domains" before sending, use a tool like Instantly for campaigns, and figure out mailboxes. That's where I'm lost. My questions:

On domain warming:
What does "warming a domain" actually mean? Like what's happening mechanically?
When people say warm a domain, do they mean warming @domain (the domain) or warming name@domain (a specific mailbox)?
How does Instantly (or any warming tool) actually do this? What's the process behind the scenes?
If domain is just DNS sitting in Cloudflare, why does which mailbox provider I use even matter for warming?

On mailboxes and infrastructure:
Can I warm using one provider (like Zoho Mail - they're free for small businesses) and then switch to sending from Google Workspace once it's warmed? Does the reputation transfer?
Can the same email address exist on both Zoho and Google Workspace at the same time? Or can it only live in one place?
I keep hearing about providers like Winnr, Mailforge, etc. - what are these and how do they compare to just using Google Workspace?
If Winnr provides mailboxes AND has built-in warming, why would I still need Instantly?

On the technical setup:
We already added SPF, DMARC, and MX records to all 4 domains. Can someone ELI5 what SPF and DKIM actually do?
Can I start warming with Instantly before connecting actual mailboxes? Or does warming require live inboxes?
Why do I need to check existing DNS records before adding new ones? What breaks if I don't?

On doing this at scale:
This whole process seems incredibly tedious (set up mailboxes, warm each one for 2-4 weeks, configure DNS for each domain).
How do startups actually do this at scale without losing their minds?
For 4 domains doing cold outbound, how many mailboxes would you typically set up per domain?

Honestly just trying to understand the architecture here. Feels like there are 5 different tools doing overlapping things and I can't figure out which ones I actually need vs which are optional.

Any clarity would be massively helpful. Thanks in advance.

The company I work for (DMARCeye) just released a Q1 report focusing on DMARC-engaged domains. Title of the post was the main key finding. I think the charts are fun to look at so I thought it would be worth sharing the link (no gating or other business tricks, just info).

Other key findings are that 1) Compliance rises sharply with sending volume (domains sending under 100 emails per month average 62% compliance; domains sending over 10M average 99.8%), probably because bigger senders are forced into compliance. 2) 94% of domains at p=reject enforce at 100% from day one - i.e. the pct mechanism was rarely used in practice, which is probably why DMARCbis plans to remove it.

I work for a company that sent ten of thousand of mails every month, they reported that they have received Spam and so we contacted our web hosting to modify our DMARC from Quarantine to Reject.

The thing is, the week after such change an user reported that their mail to some companies in Asia was rejected, bounced of or never arrived. Did some basic tests, Telnet, Test-NetConnection and that server was down or with problems, reported such case.

Next day server is up, but they report same problem with another company from Europe. Sames test, server is ip, so I got the email resent to me to see the internet header:

DKIM=none
SPF=pass

In MxToolBox when I check the subdomain IP addresses, both hostnames says it doesn't support TLS, Icheck our web hosting, we do have TLS at certain ports and lastly, one says Reverse DNS doesn't match SMTP Banner and doesn't contain hostname.

Tldr; I'm fucking lost, I got this job as TI due to being programmer and wanting to get experience, but networking I haven't seen such a thing in years.