1. I think we should add a DMARC record only, when an spf-records exists and dkim is enabled for the mail-domain. This breaks the draft (see draft 5.6.2) but makes much more sense: A DMARC check pass if the auth-check for spf or dkim is ok. This means, that a DMARC check is valid without DKIM as long as the SPF-Record matches. This leads to an useless DMARC-Record as a spf-check could be done without DMARC. When the receiver does not validate DKIM-signatures, the mail could also have an invalid DKIM-Key and the mail passes the DMARC check. 2. DMARC allows reports for rua and ruf to external addresses. Code: v=DMARC1; p=none; rua=mailto:dmarc@[B]external.com[/B] is valid for example.com. If a remote address is used, a record in the remote-zone is reuqiered Code: example.com._report._dmarc.external.com v=DMARC1 As long as the remote-zone is managed with ISPConfig, i can easily insert a record in the remote-zone (by ignoring permissions and limits) or check for an existing record with a sql-query. If the remote-zone is not managed with ISPConfig, i can use dig to check for a record but there is currently no way to add the record. Should the corresponding record add to a remote-zone managed by ISPConfig? Should a DMARC-record fail with a remote-address if now record is in the remote-zone? Should we just disallow remote-addresses?