DMARC was fine when it was used to protect high value company domains like
paypal.com. It became much less fine when AOL and Yahoo started using it to
force the costs of their own security failures on third parties.
Worth noting is that their deployment of DMARC has done *nothing*
to address those security failures and thus *nothing* to stop the
forgeries that were the alleged impetus for the deployment. In fact,
it's arguably made the impact of those worse because they now arrive
with whatever degree of endorsement DMARC validation provides.
Acually, it's been quite effective for what Yahoo and AOL cared about.
Yahoo's problem was that crooks had stolen people's address books so
their users were getting spam with faked return addresses of people
they knew, sent from botnets outside of Yahoo, provoking many
expensive support calls. Turning on DMARC stopped that cold.
Of course, it also stopped other stuff which is why we're here.
R's,
JOhn