u/vppencilsharpening

I tried searching and I think it will be fine, but I'm hoping to leverage the collective mind of r/DMARC for a question.

I would like to configure two e-mail addresses for use as DMARC rua and ruf targets in our DMARC policies. Then configure our mail system to forward the messages to our DMARC aggregation service.

My plan would be to use Amazon SES and a Mail Manger rule or Lambda function to handle the forwarding while also storing the aggregate reports in S3.

Question:
Is forwarding the reports in this way allowed within the DMARC spec?

Why:

We have a bunch of companies in Europe who are overly sensitive about the data in forensic reports (possibly rightly so) and this will allow us to explicitly control those reports. It will be less scary for compliance and audit people if they see an e-mail address on a domain we control rather than a 3rd party. Not a great technical reason, but sometimes this is the easy button.

For the aggregate reports, this will allow us to easily add or change services without having to update hundreds of DMARC records (we have something like 200+ domains globally, plus sub-domains with separate DMARC records/policies). We would just need to update the message forwarding rules. It would also allow us to keep the reports longer or analyze them elsewhere if we so desired. With S3 storage being fairly cheap and the glacier storage tiers make it even cheaper (assuming minimum object sizes are met) we could keep the data around as long as we want.

Little bit of a story for anyone who is starting out.

tl;dr; If you setup DMARC report aggregation for the first time and have a horrible compliance rate, it may not be as bad as it looks.

In the before times, when I first setup DMARC reporting and the reports starting coming in, <20% of the messages were DMARC compliant. Being new to this I got that "oh shit what did I get myself into" feeling that most of us have experienced at some point. But I dug into the data anyway.

I found a few legit senders that needed to be tweaked for compliance, but by and large all of the sources we expected to be sending from were sending compliant messages.

The more I dug into the data the more confident I was that over 80% of our domain's email volume was spoofed.

We had been using SPF for a long time and then implemented DKIM when it became commonly required, but this was an old domain (registered in the late 90s) that has been used for an e-com site since it was registered. It had reputation, history, no DMARC policy and a loose SPF record making it a good choice for spoofing.

We slowly followed the process to increase our DMARC policy. Every day expecting to receive reports of undeliverable mail, but they never came.

Eventually we reached a reject policy and set a hard fail for SPF, but the spoofed volume didn't disappear right away. It took more than a few months before our DMARC compliance rate was above 95%.

Reviewing the data, the volume of compliant messages never significantly changed. While the volume of non-compliant messages dropped drastically one week and has not really changed other than a spike here and there.

I've now gone through this process for a bunch of other domains and have never seen it as bad as the first one. I kinda wish I kept the data showing how bad it was when we first started.

Anyway I was telling this story to someone and though this community might like it. Thanks if you made it this far.