Mailjet: DMARCbis is dead. Long live DMARC. 

DMARCbis is now DMARC 

This matters because mailbox providers increasingly expect authenticated, aligned mail as baseline sender behavior. The updated DMARC RFCs do not radically change those expectations, but they clarify and formalize practices that many senders and ESPs are already operating under today. 

In May 2026, the IETF published three new RFCs that replace the original DMARC spec: RFC 9989 (core protocol), RFC 9990 (aggregate reports), and RFC 9991 (failure reports). 

That sounds deeply technical, but the practical takeaway is simple: DMARC has been modernized, not reinvented. Your job as a Mailjet customer is still to authenticate your email, align your authenticated domains, and monitor your reporting. 

Quick DMARC refresher for Mailjet users 

DMARC checks whether the domain in the visible From address aligns with authenticated SPF or DKIM results. 

• SPF authentication looks at the MAIL FROM / Return‑Path domain. 

• DKIM authentication looks at the d= signing domain. 

• DMARC passes if either of those domains both passes authentication and aligns with the visible From domain (under strict or relaxed rules). 

Mailjet’s DMARC help center article explains exactly this: one aligned authenticated identifier is enough for DMARC to pass. 

Mailjet’s defaults matter when you think about DMARC. 

Domain authentication and DKIM 

When you validate a sender domain in Mailjet: 

• Mailjet gives you SPF and DKIM TXT records to publish for that specific domain. 

• Once those are live, Mailjet signs with DKIM using your authenticated domain in the d= value (for example, d=example.com). 

That means DKIM alignment is straightforward when your visible From uses the same domain (or an aligned subdomain) you’ve authenticated in Mailjet. 

By default, Mailjet uses a provider‑owned bounce domain: bnc3.mailjet.com. 

• SPF authentication passes against bnc3.mailjet.com. 

• Your visible From is on your own domain (for example, example.com). 

• Those domains do not share the same organizational domain, so SPF does not align for DMARC. 

In Mailjet’s default setup, DMARC commonly passes through DKIM alignment. That’s valid: DMARC requires one aligned authenticated identifier, not both SPF and DKIM. Customers who also want SPF alignment can configure a custom Return‑Path, subject to Mailjet’s current setup and support process. 

Dedicated IPs can affect reputation control and deliverability troubleshooting, but they do not change DMARC’s alignment rules. Whether you use shared or dedicated Mailjet IPs, DMARC still evaluates alignment between your visible From domain and your authenticated SPF or DKIM identifiers. 

If you want SPF alignment as well, Mailjet supports a custom Return‑Path on paid plans: 

• You create a subdomain like bnc3.yourdomain.com and point it via CNAME to bnc3.mailjet.com. 

• You validate that domain in your Mailjet account. 

• You open a ticket with support, provide the API key and CNAME details, and they activate the personalized return route for that API key. 

Note that you can only have one active custom Return‑Path per API key, and that the feature depends on your plan and support workflow. Availability and setup details may vary over time, so it’s always worth checking current Mailjet docs and support guidance for the latest behavior. 

Once configured, SPF can support DMARC alignment under relaxed alignment (aspf=r), because the MAIL FROM / Return-Path uses a Mailjet-managed bounce subdomain within the customer’s organizational domain. Mailjet continues to handle bounce processing behind the scenes. Customers using or considering strict SPF alignment (aspf=s) should review this setup carefully, since strict alignment requires the MAIL FROM domain to exactly match the visible From domain. 

Here’s how to respond to the DMARC update if you’re running programs on Mailjet. 

1. Know who sends as your brand (inside and beyond Mailjet) 

1. Know who sends as your brand (inside and beyond Mailjet) 
   • List every Mailjet account/API key and the domains validated on each. 
   • Cross‑check DMARC aggregate reports to find any other platforms (ecommerce, CRM, support tools) that are also using your domain. 

2. Verify DKIM alignment for Mailjet domains 
   • For each validated domain, confirm the DKIM TXT record from Mailjet is live and passing.
   • Send test emails and check that the DKIM d= value matches your brand domain (or an aligned subdomain) used in the visible From. 

3. Decide whether you want SPF alignment via custom Return‑Path 
   • If DKIM alignment is passing reliably, that is sufficient for DMARC. 
   • If your security posture or internal policies call for SPF alignment too, work with your DNS and Mailjet support to configure a custom Return‑Path (bnc3.yourdomain.com → bnc3.mailjet.com), keeping in mind that availability and limits (such as one per API key) are subject to Mailjet’s current product behavior and support process. 

4. Review and modernize your DMARC records 
   • Check whether you are still on p=none or have moved ought to quarantine or reject for your organizational domain and key subdomains. 
   • Remove obsolete tags like pct, rf, and ri, and consider whether np for non‑existent subdomains and psd for public‑suffix behavior apply to your domain portfolio. 

5. Treat DMARC as brand infrastructure, not a one‑off project 
   • Use DMARC aggregate reports regularly to spot misaligned Mailjet sends, unexpected new sources, or third‑party tools authenticating on their own domains instead of yours. 
   • Make DMARC maintenance part of your ongoing deliverability routine, not a fire‑drill only when something breaks. 

DMARCbis is dead. Long live DMARC. For Mailjet senders, that means: 

• DKIM alignment on your own domains remains the default and is enough for DMARC. 

• SPF alignment is available when you need it, through a custom Return‑Path and coordination with Mailjet support. 

• The updated DMARC spec simply makes the rules around all of this clearer. 

Your subscribers never see your DMARC policy string, but mailbox providers do. The more intentional you are about how Mailjet authenticates and aligns your authenticated domains, the more confidently those providers can trust that the mail using your brand really is yours. 

Author: The Sinch Mailjet Team The team at Sinch Mailjet