We are one of the lucky customers which have completed the onboarding journey of becoming DMARC compliant in reject mode with 99%+ of our more then 350 external service providers.
While we try to get to 100% we are always running behind our business which had a tendency to find - yet unheard off- cloud service providers which can help us in areas not know before. This means our list of authorized senders and systems is growing almost every week.
Digging deeper into some of the privacy aspects of RUA nd RUF data showed us that we did no longer get the same amount of data reported back to us as before. To be more precise we suddenly got almost no more data as you can in below screenshot. We have done some analysis using some of the best DMARC aggregating tools but with the help of DMARCIAN we finally understood what was happening.
Looking at our change logs we realized that the date reporting ended is the same date we upgraded our inbound production cluster to v 14.0.0.. Long story short as I don't want to get overly technical here.
It appears that a code change in ESA 14.0.0, intended or not, broke the way the Cisco Ironports are processing such reports because the target domain no longer matches the from domain. Such reports are now just ignored. This is an issue for very customer which uses an external service to aggregate the RUA or RUF records and this service is in a different domain or hosted external.
Cisco is tracking this bug under : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz09278
We believe that this issue merits an urgent fix.
Update:
I reached out to Cisco product management about this issue and was told that this issue will be addressed with the 14.0.2 ESA Release, planned for End of November or early December time frame.
More to come.