Receiving DMARC reports is just as hazardous. I frequently receive spam, phishing, malware, etc on my DMARC reporting addresses. I'm somewhat surprised I haven't seen any zip-bombs in DMARC reports yet.

Rejecting DMARC reports from any sender that doesn't have a correct SPF/DKIM/DMARC setup is the bare minimum.