I think it would be beneficial to have a function to edit existing DNS records.
I recently got into reporting out of curiosity for the correct spec.
the failure reports can be enabled in opendmarc.conf and you can also enable the aggregate reports like the big players with something like:
oh2fih/OpenDMARC-Reports: Automate OpenDMARC reports securely.
The reports do help you to identfy people trying to abuse you.
You can use this as a test after enabling failure reports:
Email Spoof Test dot com
Also to actually act on it:
RejectFailures false
I turn that to true.
I think it provides valuable insights.
I setup a verifydmarc dot com account to have some GUI oversight. (can also collect mta-sts)
I also got into actually honoring MTA-STS, this requires an MTA-STS resolver like:
Zuplu/postfix-tlspol: Lightweight MTA-STS + DANE/TLSA resolver and TLS policy server for Postfix, prioritizing DANE.
And Postfix 3.10.x
I dont know about ubuntu, for rhel it was compiled recently by third party repo with TSLRPT support.
and then
sys4/tlsrpt-reporter: An application suite to receive TLSRPT datagrams and to generate and deliver TLSRPT reports
also with thirdparty repo rpm.
For Postfix this is all a bit adventureous at the moment IMO.
But necessary to actually honor MTA-STS when sending mail, not just DNS entries on how you want to be treated.
I set it up on a virtualmin based server.
What I love about MIAB is that it is somewhat hassle free cocerning DNS because you can set it to act as its own DNS with two glue records and be done with it, and not start to dance around updating DANE TLSA records etc…
Stalwart as an alternative is the only mail server I know that fully implements the DMARC and MTA-STS spec out of the box. But it cannot act as its own DNS server.
and setting up external records is a drag IMO.