[kmoser]

Maybe I'm just paranoid but if you configure your DMARC records to receive reports via email, doesn't that open the door for malicious actors to send bogus reports, if for no other reason than just for the lulz? I realize that the only sane way to deal with these reports is via an automated service (nobody in their right mind wants to manually parse through tons of XML reports on a regular basis) but how do I stop the incoming data from being poisoned?

[pul]

The RFC requires SMTP servers to first verify that the destination email indeed wants to receive those reports. They’re opt in through a DNS record.

https://datatracker.ietf.org/doc/html/rfc7489#section-7.1

[StuntPope]

I've been monitoring this with an eye toward creating a honeypot for DMARC abuse but so far been seeing zero messages come in.

Either the spammers haven't figured it out yet, or they realize it's a waste of time since all the messages are either mechanically processed or ignored.

[brightball]

Yes it does.