I get reports showing attempts at least one a month per domain, a few in a week trying root and then subdomains. So I do like the fact that I know the policy I have implemented is useful. I do wish, however, that there was more useful information in the reports and that a variation of forensic reporting was more of a thing.

But you're spot on with finding gaps. It's basically the premise for every commercial DMARC product on the market. It's also crazy to see how companies blindly trust and never remediate senders from having access to corporate domains.

I'll, however, disagree with regard to personal domains. It's not hard. Do it. Everyone who helps clean up these things makes a small difference. If you own your own domain and are leveraging email this should be table stakes. I have recommended MailHardener [0] (no affiliation) in the past for their fantastic documentation around SPF, DKIM, DMARC, BIMI, etc - but also they have a free tier of one domain and they provide a grade with respect to your posture. It's really simple, and people I know have used it to learn how to implement these configurations on a broader scale.

[0] https://www.mailhardener.com/

I have definitely done it for my personal domains and I agree that it's not particularly hard. I just meant that for my personal domains I have not found the reports as useful as I do in business contexts, because I am the only person sending mail from those domains and it's (mostly) unlikely that I'd spin up a new source and forget to add it to the DMARC policy.