July 5, 2026
DNS drama: ghost domains strike back
Why DMARC's new "NP" tag can fail with DNSSEC
Email’s new anti-fake rule is already in trouble, and commenters are absolutely roasting it
TLDR: A new email anti-spoofing rule can break for sites using a popular security feature, including those on big-name DNS providers. Commenters are split between blaming provider shortcuts and saying the rule itself makes little sense, turning a standards update into a surprisingly juicy tech pile-on.
The internet’s email gatekeepers just rolled out a new rule meant to crack down on fake messages from made-up subdomains — think bogus addresses pretending to come from unused corners of a company’s website. In theory, the new np setting in the latest DMARC standard should let site owners say, “If this subdomain doesn’t exist, reject the mail.” In practice? The comments section basically turned into a digital food fight over why it can quietly fail when paired with DNSSEC, the security system meant to make website address lookups more trustworthy.
The spiciest reaction came from readers arguing this is less a DNSSEC disaster and more a provider shortcut scandal. One commenter accused major DNS companies of giving the “wrong” kind of answer on purpose because it’s smaller, faster, and avoids extra hassle — which, if true, makes this feel less like a bug and more like a convenience-driven plot twist. Others took aim at the new rule itself, saying the whole idea is weirdly designed: if a subdomain clearly exists for a website, why should email treat it like a ghost town just because it lacks mail records?
And then came the dry humor. Some readers basically shrugged and said many mail servers already distrust domains that can’t receive mail, so this new feature feels like a fix for a corner case in search of a bigger audience. Translation: important standard, messy reality, and the crowd is not impressed. The mood is very much “how did the experts ship this?” with a side of “classic internet standards drama, no notes.”
Key Points
- •RFC 9989 adds the DMARC `np` tag to specify policy for non-existent subdomains.
- •RFC 9989 defines a non-existent domain using RFC 8020 semantics: a query must return `NXDOMAIN`.
- •The article says this definition conflicts with RFC 9824, "Compact Denial of Existence in DNSSEC," causing `np` to fail in some DNSSEC cases.
- •The reported issue affects domains that use DNSSEC with major providers including Cloudflare, NS1, AWS Route 53, and Azure.
- •The authors raised the issue with the IETF DMARC working group, which acknowledged the problem but did not agree on a solution.