[sbuk]

The thing to remember is that these are useless unless the recipients MTA is configured to take action against failures. Another thing to understand is that very few services, commercial, public or otherwise, send DMARC reports, and many that do send very sparce reports that are as bad as not recieving anything at all. Fundamentally, catching spoofing, phishing and spam and not catching 'ham' is actually really hard.

[toast0]

It's been years since I did it, but I added DMARC to a high volume domain and the reports were useful while I was adding it, to help make sure I didn't forget any authorized senders, but once I got that finalized, the reports were totally unactionable.

I can't do anything about the attempted spoofs; I'm not going to track down everyone's open relays, and if I would, DMARC reports aren't really enough anyway.

At the time, Yahoo, Google and Microsoft all sent reports, which is a good portion of email, although certainly missing a lot. I think there were a few other smaller names, which I no longer remember.

Of course, it almost doesn't matter. Spam/phishing mail to our users still continued, they just stopped spoofing our address. It's not like very many people look at the domain mail claims to be from anyway; modern clients hide it, too.

[nwallin]

> they just stopped spoofing our address.

This also means that emails from your domain is less likely to get marked as spam, which can be a significant win for smaller domains.