I've been toying with dmarc off and on for the last couple of months. Currently I have no policy set. I am using URIReports for report collection and analysis. Most of the results are good. We use Google for interpersonal email, Mailchimp for mass email, and Amazon SES for transactional things. But there are a LOT of failures involving various Microsoft mail senders, and we don't use MS at all. We are a Mac/Linux shop, and our servers do not even have a mail server running on them. Here is a screen shot of the failures in URIReports.
Almost all of the failures involve academic institutions, which sort of makes sense since most of our clients are academic. Is one of our legitimate affiliates sending email to these recipients "from" our domain thinking that it's OK to do so? Is this spam/phishing targeting our clients (that does happen!)? Is this a peculiarity of the MS ecosystem that generates failures? We do have a LOT of recipients who give us their institutional email address (.edu accounts) that then forward to personal accounts automatically.
I have tried getting failure/forensic reports but haven't ever received even one. I have come to understand they aren't widely supported for privacy reasons.
Thanks