> This is incorrect. DMARC requires nothing but an email address to send reporting to.

This is also incorrect. Reporting (rua/ruf) are optional.

> if you don't have a policy of "REJECT" set on your domains, DMARC isn't doing you a whole lot of good.

With "quarantine" failing emails will go to spam, which is plenty good enough in most cases.

Being able to firmly reject all unauthenticated messages is still the target end state. The risk of a threat actor sending an email that looks completely legit, and simply asking the user to "check their spam folder", is very real.

> This is also incorrect. Reporting (rua/ruf) are optional.

I never stated RUA/RUF were required.

My intent was to state that the parent I was replying to implied "services" or "servers" were required to collect and/or process reporting. One can simply collect reporting and process offline or simply consume manually. I do this, personally, for a few low email volume domains I own. You can't get RUA/RUF any other way.

You stated that an email address is required. It's optional. So the requirements are effectively non-existent (although who doesn't have an email address).

> You can't get RUA/RUF any other way.

There are free services that provide analysis, such as https://dmarc.postmarkapp.com/, although arguably you still need an email address to sign up. But it is another, actually useful, way to receive the reports.

Yes, an email address is required to get RUA/RUF. I never stated this was or wasn't in line with the RFC.

> There are free services that provide analysis, such as https://dmarc.postmarkapp.com/, although arguably you still need an email address to sign up.

YES. That's what I said.