To anyone that has used Splunk to monitor DMARC: Building out dashboards and reports for DMARC visibility, I've noticed examples of DMARC record entries can contain a different address for aggregate and forensic reports. Does this make searching or dashboards faster by not searching all the data? I guess that relies on needing to search through both reports, if there would ever be a need.
I would hope the RUA and RUF reports are different enough that we could use the same email address and index to create metrics for each without too much overhead.
... View more