Why DMARC's new "np" tag can fail with DNSSEC
- The recently updated DMARC specification, published as RFC 9989, introduces the new np tag.
- Its purpose is to specify the policy that receivers should apply when the sender domain is a non-existent subdomain of the domain where the DMARC record is published.
- We discovered that the definition of “non-existent domain” contained in RFC 9989 clashes with another recent specification, RFC 9824, known as ”Compact Denial of Existence in DNSSEC”, resulting in the np tag not always working as expected.
Unverified
- The recently updated DMARC specification, published as RFC 9989, introduces the new np tag.
- Its purpose is to specify the policy that receivers should apply when the sender domain is a non-existent subdomain of the domain where the DMARC record is published.
- We discovered that the definition of “non-existent domain” contained in RFC 9989 clashes with another recent specification, RFC 9824, known as ”Compact Denial of Existence in DNSSEC”, resulting in the np tag not always working as expected.
Sources: Dmarcwise