I do operate DMARC report processing service and I have to agree that outdated reporting addresses living in DNS records (in my case, previous customers of mine still using their reporting addresses) are an issue.
Although the RFC 7.1 section regarding External Domain Validation [1] addresses this topic, I've found that lots of final hosts disregard this step and blast their reports to whatever reporting address is provided.
To the best of my knowledge opendmarc-reports does not perform a DNS check for external auth, but I might be mistaken.
Major hosts (Google, Zoho, Yahoo, Microsoft) are checking for sure. Japanese hosts are the worst offenders. I will try to do a proper data extraction and report back.
Although the RFC 7.1 section regarding External Domain Validation [1] addresses this topic, I've found that lots of final hosts disregard this step and blast their reports to whatever reporting address is provided.
1: https://www.dmarctrust.com/email-dns/fundamentals/dmarc-dns-...