I’ve watched this bit in the video as well. This is one of the things that we’re concerned about, especially since we’re in EU and GDPR is pretty strict. You also mention here in another video that these are full-blown email messages. I think I control when this happens with the fo tag, right? If I avoid the ruf tag, then no personal information is shared? I have set up dmarcian to debug this so still waiting on failure reports.
“fo” tag only defines trigger for when the forensic/failure should be sent. That does’t control the info in the “report”.
If you do not include the “ruf” tag, then no forenseic/failure reports should be sent. You may not see many, if any at all. Majority of email service providers are not sending these reports, even if you have the “ruf” tag included.