Hi @fiwswe,
what you described is correct and in practice, I’m receiving these reports on my postmaster-address as well as on the mxtoolb.com-delivery center-service.
They explain how to set it up at https://mxtoolbox.com/dmarc/dmarc-setup-cname and when trying to add a domain in their customer panel.
Even though @peter provided and rfc that forbids it, mxtoolbox requires you to set up a CNAME and a TXT-record for the _dmarc-subdomain at the same time.
In practice, this works with other dns providers:
dig _dmarc.domain.com txt
;; ANSWER SECTION:
_dmarc.domain.com. 3597 IN CNAME domain.com.hosted.dmarc-report.com.
domain.com.hosted.dmarc-report.com. 300 IN TXT "v=DMARC1; p=none; fo=1; rua=mailto:55538c69@mxtoolbox.dmarc-report.com; ruf=mailto:555538c69@forensics.dmarc-report.com;"
I agree with you that deSEC is properly following the RFC1034, but is there any chance that one implements an exception for the for _dmarc-subdomain, as mxtoolbox.com is a popular service?
I filed a bug report with them, but don’t think they will listen.
DNS providers like Hurricane Electric or cloudflare allow you to create a cname and a txt record in parallel in deviation from the RFC.
Regards