Is there a way to hide the DMARC email addresses?
I’m new to this game but It appears I could see anyone’s DMARC record and get an email address to spam.
I guess I should create a user name like dmarc@example.com and then just update if I start getting spam at that address.
Any best practices??
Hi Charlie
First off, rua and ruf addresses need to be public, or reporters would be unable to send reports (the R in DMARC) to the correct address.
Next, with any significant volume of mail, you’ll need some kind of automation for handling DMARC aggregate reports (rua), e.g. the service provided by DMARCIAN. As aggregate reports are rarely handled by humans, it would make little sense SPAMming the address, and the automation can easily discard any mail that does not follow the well defined report format.
Failure/forensic reports may be read by humans, but again the reports do not look like ordinary office mail, so any spam would be easy to spot.
I have not noticed any spam at our DMARC reporting address, but some legitimate reports do end up in the Unwanted Mail folder.
Maybe the DMARCIAN folks can supply solid spam statistics?
Hello @csasser, the response provided by @opvind is correct. You will need to publish an address where you would like XML reports to be sent to. The two most common ways is to receive them directly yourself and then forward to a tool such as dmarcian, or you can send directly to us.
As part of the service we provide, we have several layers of filtering in our processing engine to ensure you are not only being presented with only legitimate reports, but also that the reports are accurate. Unfortunately, not every report provider sends reliable data. In those cases we discard them.
It is still possible that we could consume and process a fake report, though it’s not something we are forced to combat every day like most inbound gateways do. The bad guys are mostly aware that these mailboxes aren’t human-facing.
Thank for the response.
