TL;DR: DMARC RFC 9989 refines organizational domain discovery, alignment logic, indirect mail handling, and reporting consistency, which should make enforcement outcomes more predictable across mailbox providers, according to Proofpoint. For IAM and security teams, the shift matters because visibility into every sender, subdomain policy, and third-party mail flow becomes the difference between workable enforcement and hidden impersonation risk.
At a glance
What this is: DMARC RFC 9989 updates the standard to make policy evaluation, organizational domain discovery, and reporting more consistent across providers.
Why it matters: This matters because email authentication only protects domain trust when every sender, subdomain, and forwarding path is visible enough to enforce consistently.
👉 Read Proofpoint's analysis of DMARC RFC 9989 and reporting updates
Context
DMARC policy enforcement is only as reliable as the way receivers interpret organizational domains, alignment, and indirect mail flows. When those interpretations vary, domains can appear protected on paper while spoofing or third-party sender gaps remain open in practice. This update is therefore about governance consistency as much as email authentication.
For identity and access teams, the relevance is broader than email alone. DMARC sits inside a wider trust model that depends on knowing which systems are allowed to send as the organisation, how those senders are authenticated, and whether visibility exists across all delegated services and subdomains. That makes this a governance issue for email security, identity verification, and impersonation defence alike.
Key questions
A: Start by inventorying every authorised sender, including marketing, support, and transactional platforms, then validate SPF and DKIM for each one. Move policy gradually from none to quarantine and finally reject, while reviewing DMARC reports for failures. The goal is not faster enforcement, but accurate enforcement that blocks spoofing without disrupting real business mail.
Q: Why do indirect mail flows complicate DMARC enforcement?
A: Forwarding and list services can alter the message path in ways that disrupt SPF or DKIM even when the original sender was legitimate. That makes some DMARC failures transport problems rather than impersonation attempts. Security teams need to map those paths so they can separate delivery breakage from real spoofing risk.
Q: What do security teams get wrong about SPF, DKIM, and DMARC?
A: They often deploy them as isolated email settings instead of treating them as enforcement controls for domain identity. SPF, DKIM, and DMARC only work well when they are tuned together, monitored continuously, and backed by an operational process that responds to failure reports and configuration drift.
Q: Who is accountable when subdomain policy inheritance fails?
A: Accountability sits with the domain owners and the teams that control sender onboarding, policy publication, and receiver testing. DMARC failures are often framed as protocol problems, but inheritance drift usually reflects governance gaps in domain administration, third-party sender management, and change control. Those are ownership questions, not just technical ones.
Technical breakdown
Organizational domain discovery and subdomain policy inheritance
DMARC evaluation begins by deciding which domain is in scope. RFC 9989 standardizes organizational domain discovery so receivers apply the same logic when mapping a subdomain back to its parent policy boundary. That matters because subdomain policy inheritance has historically varied across providers, which created inconsistent pass or fail outcomes even when the sender configuration had not changed. Clearer alignment rules also reduce ambiguity when relaxed and strict matching are used across SPF and DKIM. The practical effect is that policy intent becomes easier to enforce at scale, especially in enterprises with many business units and delegated sending services.
Practical implication: validate parent and subdomain policy boundaries before moving to reject.
Aggregate and forensic reporting now carry more operational detail
RFC 9990 and RFC 9991 separate aggregate and failure reporting into dedicated specifications, which makes reporting more structured and easier to automate. Aggregate reports now carry clearer schema expectations, required selector data, and more consistent context fields. Failure reports, meanwhile, are designed to support message-level investigation but also raise privacy and abuse concerns because they can reveal headers and message content. For security teams, the important change is not just format cleanliness. It is that the reports should be more machine-usable for trend analysis while also demanding tighter controls around secure transport, redaction, and external destination verification.
Practical implication: review parsing, redaction, and destination verification before relying on RUA or RUF at scale.
Indirect mail flows are a core authentication failure mode
Forwarders, mailing lists, and SaaS relay paths often break the original authentication chain by changing envelope details or altering message headers. RFC 9989 gives clearer guidance for these intermediary paths so that policy evaluation is less dependent on idiosyncratic provider behavior. This does not eliminate the underlying challenge, because the message may still travel through systems that were never designed to preserve SPF or DKIM in a transparent way. But it does make the standards landscape more explicit, which helps teams separate genuine sender risk from transport-induced authentication breakage.
Practical implication: map every intermediary mail path before assuming a DMARC failure means a malicious sender.
NHI Mgmt Group analysis
DMARC is becoming a governance control, not just an anti-phishing control. RFC 9989 reduces ambiguity in how receivers interpret policy, but the real effect is to make sender ownership and policy intent harder to hide. That matters because email trust depends on knowing which systems can speak for a domain and whether those systems are still under control. For practitioners, the issue is no longer whether DMARC exists, but whether its enforcement model matches the actual mail estate.
Full DMARC enforcement is increasingly a visibility problem before it is a policy problem. The article correctly points to sender inventory as the gating factor. If an organisation cannot identify every legitimate sender, it cannot distinguish authorised complexity from shadow IT or impersonation risk. That is why the governance challenge sits close to identity management, even though the protocol itself is an email standard. Practitioners should treat sender discovery as part of access governance for the domain.
Indirect delivery paths expose a modern trust gap between policy and transport. Forwarding and list services often sit outside the original authentication design, yet they are now routine in enterprise communications. RFC 9989 does not remove that tension, but it makes the mismatch more visible. The result is that teams must decide whether to preserve deliverability, preserve enforcement, or redesign mail flows so those goals do not conflict. For identity and security leaders, that is a trust architecture decision, not a tuning exercise.
Policy inheritance clarity will force more organisations to confront subdomain sprawl. Many domains were effectively protected by inconsistent receiver behavior rather than by clean policy design. As that ambiguity falls away, weak subdomain governance becomes easier to detect and harder to excuse. The named concept here is DMARC inheritance drift: a gap between intended domain policy and how subdomains actually inherit, apply, or bypass enforcement. Practitioners should inventory subdomains before providers do it for them.
The reporting changes matter because operational maturity now depends on machine-readable evidence. Standardized aggregate and forensic output improves the chance that teams can automate triage, but only if they treat report pipelines as security data flows. That means validating external destinations, controlling exposure of message content, and using the reports to identify persistent sender exceptions rather than one-off noise. For practitioners, the standard raises the bar on both enforcement and evidence handling.
What this signals
DMARC inheritance drift: as receiver behaviour becomes more consistent, policy gaps hidden by permissive interpretation will surface faster. That means teams should expect more authentication failures in estates with unmanaged subdomains, delegated senders, or outdated policy records. The governance work is to reduce ambiguity before the standard exposes it for you.
Teams that already rely on third-party mail services should expect DMARC to behave more like an access control boundary than a deliverability setting. If a sender cannot be inventoried, aligned, and monitored, it cannot be trusted to speak for the domain. That brings email authentication much closer to identity governance than many programmes have historically treated it.
For practitioners
- Revalidate organizational and subdomain policy boundaries Map every published DMARC policy to its parent organizational domain and test whether subdomains inherit the intended enforcement state under RFC 9989 logic.
- Inventory every legitimate sender and relay path Build a current inventory of SaaS mailers, forwarding services, mailing lists, and shadow IT senders, then verify SPF and DKIM alignment for each one.
- Test reject scenarios before switching enforcement Simulate quarantine and reject outcomes across major mailbox providers so teams can see which senders fail only because of inconsistent receiver behavior or intermediary handling.
- Harden report handling before automating analysis Verify RUA and RUF destinations, enforce secure transport, and define redaction rules so aggregate and forensic reports can be used without exposing unnecessary content.
Key takeaways
- DMARC RFC 9989 tightens how domains, subdomains, and indirect flows are evaluated, which makes inconsistent policy design easier to expose.
- The biggest practical issue is visibility into every legitimate sender, not the mechanics of SPF and DKIM alone.
- Teams that want reliable enforcement need sender inventory, subdomain governance, and report handling controls before they move to reject.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack surface, NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, and ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | DMARC policy and sender ownership map to access control over domain trust. |
| NIST SP 800-53 Rev 5 | IA-5 | DMARC depends on managing authenticators and their lifecycle across sender systems. |
| CIS Controls v8 | CIS-9 , Email and Web Browser Protections | DMARC strengthens email trust and reduces spoofing across enterprise mail channels. |
| ISO/IEC 27001:2022 | A.5.15 | Access control policy governance aligns with published domain authentication rules. |
| MITRE ATT&CK | TA0001 , Initial Access; TA0006 , Credential Access | Email spoofing and impersonation often support the first stage of intrusion. |
Treat domain senders as controlled assets and enforce authentication before authorizing mail flow.
Key terms
- DMARC Organizational Domain: The organizational domain is the policy boundary DMARC uses to decide which subdomains inherit authentication behavior. In practice, it determines where enforcement begins and ends, so inconsistent discovery logic can create gaps between intended policy and actual receiver behavior.
- DMARC Aggregate Reporting: Aggregate reporting is the high-level DMARC feedback stream that summarizes authentication results across sources and receivers. It is used to spot trends, unknown senders, and policy failures at scale, but it only works when the schema is consistent and the data pipeline is normalized.
- DMARC Forensic Reporting: Forensic reporting provides message-level detail for DMARC failures, allowing teams to investigate individual events rather than broad patterns. Because it can expose headers and message content, it needs tighter privacy, redaction, and destination controls than aggregate reporting.
- Subdomain Policy Inheritance: Subdomain policy inheritance is the way a parent domain's DMARC settings apply, or fail to apply, to its child domains. It is a governance-sensitive area because unclear inheritance can leave subdomains protected differently from what the organisation intended.
What's in the full article
Proofpoint's full article covers the operational detail this post intentionally leaves for the source:
- Side-by-side explanation of RFC 9989, RFC 9990, and RFC 9991 changes for practitioners already operating DMARC.
- Proofpoint's guidance on moving from p=none to quarantine and reject with staged validation.
- Operational detail on sender discovery, third-party mailer onboarding, and report normalisation.
- Practical handling considerations for forwarding, mailing lists, and internationalized domains.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It helps practitioners connect identity controls to the broader security operations their programmes depend on.
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org