According to DMARC FAQ it's possible to have a single policy for multiple domains, and that all tools refer to this main policy:
How can I put DMARC records on many domains at once?
Some organizations may have registered many domain names for brand protection or other reasons. Managing all these domains is often challenging. Here is one possible way to put a DMARC record on all of them and easily control changes. You can use CNAME for the DMARC record and wildcard for the reporting.
_dmarc.example.com. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc-rua@example.com" _dmarc.example.net. IN CNAME _dmarc.example.com. *._report._dmarc.example.com IN TXT "v=DMARC1"Now there is only one DMARC record to manage. The report record is needed because you are asking for the aggregate report for example.net to be sent to another domain, example.com. Therefore this domain must indicate it is willing to receive such reports. With a wildcard, this domain indicates it is willing to receive reports about any domain. Set email filtering correctly for the mailbox dmarc-rua@example.com to avoid receiving reports you are not interested in.
For the aliased domain managed by Cloudflare:
;; CNAME Records
_dmarc.lists.example.net. 300 IN CNAME _dmarc.example.org.
_dmarc.example.net. 300 IN CNAME _dmarc.example.org.
For the domain that actually sends the mails and will be main policy:
;; TXT Records
_dmarc.example.org. 300 IN TXT "v=DMARC1\; p=quarantine\; pct=1\; rua=mailto:example@ag.dmarcian.com"
*._report._dmarc.example.org. 300 IN TXT "v=DMARC1"
As seen I use dmarcian to handle dmarc reports. When I tested it couldn't find dmarc records for example.net domain, nor could other tools like Mbox Proofpoint. I would trust that the FAQ isn't lying (DNS behavior tell us it should be possible) but the specification doesn't explicitly mention this characteristic, so what's going on?
