alt Hacker NewsSending DMARC reports is somewhat hazardous
Comments
>I assume that putting a 'rua=' into your DMARC record makes it look more legitimate to (some) receiving systems.
Yes, Gmail for example will drop emails from mass-senders that don't implement both SPF and DKIM.
DMARC is a relatively recent addition to the email security space, and while it seems a bit superfluous at first, is actually quite useful! Sending and receiving the reports (which, should be noted, is entirely optional) might indeed be helped by a setup separate from the main mail handling workflow, as the 'best effort' nature and the fact that lots of systems sending DMARC reports have no business delivering mail for the sender domain in the first place are quite distinct.
Both Microsoft and Google seem to do it just fine using their main infrastructure though, so there's that. And apart from (performing or hopefully kickstarting) troubleshooting of SPF and (especially) DKIM failures, going through the forensic reports (which not everyone sends, even if they do summaries, due to message privacy concerns) will definitely satisfy your 'WTF-quota' for the day, since you get to see some spoofed messages that are usually just blackholed, and some of those are truly bizarre...
Receiving DMARC reports is just as hazardous. I frequently receive spam, phishing, malware, etc on my DMARC reporting addresses. I'm somewhat surprised I haven't seen any zip-bombs in DMARC reports yet.
Rejecting DMARC reports from any sender that doesn't have a correct SPF/DKIM/DMARC setup is the bare minimum.