Chose your color

Frequently visited

Frequently asked questions

  • I am looking for a domain name registrant. Where can I look it up?

    The Whois is an easy-to-use tool for checking the availability of a .nl domain name. If the domain name is already taken, you can see who has registered it.

    On the page looking up a domain name you will find more information about what a domain name is, how the Whois works and how the privacy of personal data is protected. Alternatively, you can go straight to look for a domain name via the Whois.

  • I would like to transfer my domain name to another registrar. What is the procedure?

    To get your domain name transferred, you need the token (unique ID number) for your domain name. Your existing registrar has the token and is obliged to give it to you within five days, if you ask for it. The procedure for changing your registrar is described on the page transferring your domain name.

  • The details registered about me/my company are incorrect or out of date. How can I get them updated?

    To update the contact details associated with your domain name, you need to contact your registrar. Read more about updating contact details.

  • Why is my domain name in quarantine?

    When a domain name is cancelled, we aren't told the reason, so we can't tell you. You'll need to ask your registrar. The advantage of quarantine is that, if a name's cancelled by mistake, you can always get it back.

    One common reason is that the contract between you and your registrar says you've got to renew the registration every year. If you haven't set up automatic renewal and you don't renew manually, the registration will expire.

  • Ik heb een klacht over mijn provider/registrar. Kan ik daarvoor bij SIDN terecht?

    Wanneer je een klacht hebt over of een geschil met je registrar dan zijn er verschillende mogelijkheden om tot een oplossing te komen. Hierover lees je meer op pagina klacht over registrar. SIDN heeft geen formele klachtenprocedure voor het behandelen van een klacht over jouw registrar.

  • What conditions do I have to meet as a registrar?

    Would you like to be able to register domain names for customers or for your own organisation by dealing directly with SIDN? If so, you can become a .nl registrar. Read more about the conditions and how to apply for registrar status on the page becoming a registrar.

More frequently asked questions
Login
Nederlands

Domain names

Overviewpage Domain names

Cybersecurity

Overviewpage Cybersecurity

Who we are

Overviewpage About SIDN

What we do

SIDN Labs

Homepage SIDN Labs

News

Domain names

Overviewpage Domain names

Who we are

Overviewpage About SIDN

What we do

SIDN Labs

Homepage SIDN Labs

News

Cybersecurity

Overviewpage Cybersecurity

Vacancies

Loading vacancies
More vacancies

News

Loading news
More news and blogs

News

Loading news
More news and blogs

DMARC is now a formal internet standard for e-mail security

What’s changing with the new RFCs?

Envelopes flying through a virtual pipeline formed by ones and zeros.
  • Wednesday 10 June 2026

Just over a year ago, we reported an important update to DMARC, the internet standard that helps protect against phishing and e-mail spoofing. That update has now been formally adopted.

For organisations that are already using DMARC, very little will change. Nevertheless, the new standard’s adoption is an important milestone in the development of e-mail security.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting and Conformance) helps a receiving mail server to verify that an incoming message does actually come from the claimed sender.

The standard builds upon 2 other e-mail authentication technologies, namely SPF and DKIM. DMARC also allows a domain name’s registrant to advise receiving mail servers what they should do with messages that fail authentication. So, for example, recipients can be advised to deliver the mail anyway, to mark it as spam, or to reject it.

DMARC therefore makes it harder for malicious actors to abuse domain names for phishing or other forms of e-mail fraud.

For detailed information about how DMARC works, see our earlier article.

Proven technology

DMARC was first defined back in 2015, in RFC 7489. Remarkably, that specification didn’t originally have the status of a formal internet standard, but was published as an ‘informational RFC’.

In the years that followed, DMARC grew to become one of the most important e-mail security standards. Today, it’s used by big e-mail service providers, governments and other organisations all around the world to protect their domain names against abuse.

The internet community therefore decided it was time to put DMARC on a more formal footing. The standard has been updated and re-published as an IETF standard.

How does the update differ from the old version?

The original 2015 specification has been replaced by 3 new RFCs.

RFC 9989 defines how DMARC itself works. Then the reporting functions are covered by 2 separate documents: RFC 9990 defines the ‘aggregate reports’, which provide registrants with information about all the e-mail traffic sent using their domain names. Meanwhile, RFC 9991 covers ‘failure reports’, detailing the individual e-mail messages that failed authentication.

The new documents mainly provide clarifications and refinements based on 10-plus years of practical experience. Certain elements of the old standard that were rarely used have been simplified or removed. Also, a number of ambiguous aspects of the old specification have been clarified.

Most organisations that have already implemented DMARC will not have to change much. And the majority of existing DMARC records will continue to work without modification.

Why is the update important?

The new publication demonstrates that DMARC is now a mature standard.

While the original specification mainly described how the technology worked, DMARC has now been formally incorporated into the IETF’s standardisation programme, providing a solid basis for future refinement.

Formalisation can also serve as a trigger for organisations that don’t yet use DMARC to adopt it. The standard is widely accepted, supported by the big mail service providers, and an important tool for combatting phishing and domain name abuse.

Getting started with DMARC

Want to implement DMARC or check whether your domain is properly protected? Visit our e-mail security page for practical information about DMARC, SPF, DKIM and other modern e-mail security standards.

SIDN promotes the use of those standards through its Registrar Scorecard scheme, which rewards registrars for configuring the domain names they host to support modern internet standards.

NB: at the time of writing, Internet.nl doesn’t support all elements of the new DMARC standard (RFC 9989). Consequently, some DMARC records that are valid under the new standard will cause a test fail on Internet.nl. The site’s DMARC checker will probably be updated in due course.

What technical changes are being made to DMARC?

For the most part, the new DMARC specification will be compatible with existing implementations, and existing DMARC records will continue to work. Nevertheless, the updated standard does feature a number of technical changes.

3 new tags have been added:

  • np (non-existent subdomain policy): allows for definition of a separate policy for non-existent subdomains, making it harder to abuse a fabricated subdomain for spoofing.

  • t (testing mode): supports the controlled introduction of stricter DMARC policy rules, so that the effect of a new rule can be tested before it’s enforced.

  • psd (public suffix domain): intended for the operators of public domain structures, e.g. top-level domains and other such environments.

At the same time, a number of tags that in practice were rarely used or supported have been withdrawn. The tags in question are pct (percentage policy), rf (report format) and ri (report interval).

For most domain owners, therefore, little is changing. The main benefits of the update are greater clarity and improved support for modern e-mail environments.

Related articles