<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Iovo</title>
    <description>The latest articles on DEV Community by Iovo (@iovo).</description>
    <link>https://dev.to/iovo</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4017944%2F38b0ac2f-071f-4624-8df0-8d5205542fc9.png</url>
      <title>DEV Community: Iovo</title>
      <link>https://dev.to/iovo</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/iovo"/>
    <language>en</language>
    <item>
      <title>DMARC Just Got 3 New RFCs. Your DNS Record Doesn't Need to Change.</title>
      <dc:creator>Iovo</dc:creator>
      <pubDate>Mon, 06 Jul 2026 14:37:22 +0000</pubDate>
      <link>https://dev.to/iovo/marc-just-got-3-new-rfcs-your-dns-record-doesnt-need-to-change-4j7m</link>
      <guid>https://dev.to/iovo/marc-just-got-3-new-rfcs-your-dns-record-doesnt-need-to-change-4j7m</guid>
      <description>&lt;p&gt;If you've ever pasted &lt;code&gt;v=DMARC1; p=reject;&lt;/code&gt; into a TXT record and moved on with your life, here's something worth two minutes: the spec behind that record just changed. Not the syntax — the actual standard.&lt;/p&gt;

&lt;h2&gt;
  
  
  The old situation
&lt;/h2&gt;

&lt;p&gt;For over a decade, DMARC lived in &lt;strong&gt;RFC 7489&lt;/strong&gt;, published back in 2015 as &lt;em&gt;Informational&lt;/em&gt; — meaning it documented existing practice rather than being a formal Internet Standard. Every DMARC implementation since then has effectively been building against a well-written but non-binding memo.&lt;/p&gt;

&lt;h2&gt;
  
  
  What changed
&lt;/h2&gt;

&lt;p&gt;The IETF's DMARC working group (nicknamed "DMARCbis" internally — more on that name in a second) split the spec into three separate documents, all promoted to full Standards Track:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;RFC&lt;/th&gt;
&lt;th&gt;Covers&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;RFC 9989&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Core DMARC spec — policy syntax, alignment rules, how receivers apply &lt;code&gt;p=&lt;/code&gt;
&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;RFC 9990&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Aggregate (&lt;code&gt;rua&lt;/code&gt;) report format and handling&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;RFC 9991&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Failure (&lt;code&gt;ruf&lt;/code&gt;) report format and handling&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Splitting it this way means aggregate reporting can evolve without reopening the core policy syntax — the kind of change a working group makes after ten years of real-world deployment has shown exactly where the seams are.&lt;/p&gt;

&lt;h2&gt;
  
  
  What you actually need to do
&lt;/h2&gt;

&lt;p&gt;For most people running an existing DMARC record: &lt;strong&gt;nothing.&lt;/strong&gt; &lt;code&gt;v=DMARC1&lt;/code&gt; is unchanged. &lt;code&gt;p=none&lt;/code&gt; / &lt;code&gt;quarantine&lt;/code&gt; / &lt;code&gt;reject&lt;/code&gt; are unchanged. Your record is already compliant with the new RFCs as written.&lt;/p&gt;

&lt;p&gt;Two things worth checking anyway:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;If you're still at &lt;code&gt;p=none&lt;/code&gt;&lt;/strong&gt; years after your initial rollout — this is a fine excuse to actually check your aggregate reports and move to &lt;code&gt;quarantine&lt;/code&gt; or &lt;code&gt;reject&lt;/code&gt;. &lt;code&gt;p=none&lt;/code&gt; collects data but enforces nothing.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;If you built any tooling that parses DMARC records or reports&lt;/strong&gt;, double check it doesn't hardcode a reference to RFC 7489 in a way that would confuse anyone reading your docs. RFC 7489 is now formally obsoleted (though still technically resolvable, just marked historic).&lt;/li&gt;
&lt;/ol&gt;

&lt;h2&gt;
  
  
  The naming trap
&lt;/h2&gt;

&lt;p&gt;"DMARCbis" is the working group's internal nickname for this update effort. It is &lt;strong&gt;not&lt;/strong&gt; a new protocol, and you will not see &lt;code&gt;v=DMARCbis1&lt;/code&gt; in a DNS record anywhere. If you see content using "DMARCbis" as if it's a distinct standard from DMARC — that's a sign the writer conflated the working-group nickname with the actual spec name. The standard is still called DMARC. It always was.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why this matters beyond trivia
&lt;/h2&gt;

&lt;p&gt;If you're maintaining documentation, internal wikis, or onboarding material that cites DMARC's spec — updating the RFC reference from 7489 to 9989 (plus 9990/9991 for reporting) is a small, correct thing to fix. It's also a decent signal, if you're writing publicly about this, that your content is current — a lot of existing "how DMARC works" articles online still only cite 7489 and haven't caught up.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;I put together a full reference on the entire email authentication stack (SPF, DKIM, DMARC, ARC, BIMI) with real header examples throughout, if anyone wants to go deeper — &lt;a href="https://emaildecoded.wiki" rel="noopener noreferrer"&gt;Email Decoded&lt;/a&gt;. Happy to answer questions on DMARC, ARC, or email forensics in the comments.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>security</category>
      <category>email</category>
      <category>webdev</category>
      <category>dns</category>
    </item>
  </channel>
</rss>
