Bỏ qua đến nội dung chính
Back to home
Tech 2 min read

Why DMARC's new "NP" tag can fail with DNSSEC

The addition of the new 'NP' tag to the DMARC standard could trigger severe technical conflicts with the DNSSEC security protocol.

Tier 2 · sources 51% confidence Reviewed
Sources dmarcwise.io

The DMARC (Domain-based Message Authentication, Reporting, and Conformance) protocol recently introduced a new configuration tag named "NP" (No Policy). However, network experts warn that this feature may be incompatible with the DNSSEC cryptographic security mechanism. This incompatibility has the potential to disrupt email authentication and disable previously established domain security configurations. The issue arises primarily from how these two protocols handle resource record queries on the global DNS.

Background & Causes

According to technical analysis from Dmarcwise, the NP tag was designed to allow administrators to set a temporary "no policy" status for subdomain segments without completely deleting the core DMARC configuration. However, when an incoming mail server attempts to query the DNS records of a domain that has both DNSSEC and the NP tag active, the DNS response packet size can exceed standard limits. This bloated configuration packet easily leads to IP fragmentation or firewalls blocking it, resulting in a total failure of the authentication process.

Technical & Technology Analysis

The core issue lies in the conflict between DNSSEC's secure digital signatures and the parsing structure of DMARC's new NP tag. DNSSEC adds large RRSIG (Resource Record Signature) records to every DNS response to ensure data integrity. When the NP tag is integrated, the DMARC text (TXT) record string becomes more complex, forcing the DNS resolver to process queries over TCP instead of traditional UDP. If the recipient's network infrastructure does not adequately support TCP fallback for DNS, all outgoing emails from that domain will be flagged as insecure.

Expert Opinions & Remarks

Network security engineers recommend that enterprises with strict DNSSEC implementation exercise caution before deploying the NP tag in their DMARC records. The lack of extensive real-world testing among major DNS providers could turn this convenient solution into a self-blocking loophole for outgoing mail. Many experts suggest maintaining the traditional "p=none" policy for subdomains rather than rushing to transition to the NP tag while DNS resolution tools are not yet universally updated.

Impact & Future

The compatibility issue between DMARC NP and DNSSEC highlights once again the grand challenge of upgrading legacy Internet protocols without compromising existing security layers. For system administrators in Vietnam running enterprise mail servers, closely monitoring updates from the Internet Engineering Task Force (IETF) is highly essential. In the near future, developers will need to issue patches or optimized configuration guides for DNS record sizes to completely resolve this technical conflict.