In article <85393a12-a51f-6722-4171-118919fcc2d0@mtcc.com> you write:
The real problem with large enterprise that we found, however, is that it was really hard to track down every 25 year old 386 sitting in dusty corners that was sending mail directly instead of through corpro servers to make certain that everything was signed that should be signed. Maybe that's gotten better in the last 15 years, but I'm not too hopeful.
No kidding. That's why you publish a DMARC policy record that says don't treat my mail any differently, but please send me summary reports about it. This lets you see where mail with your From: domain is coming from, to track down all those dusty servers. Once you've found them all, then you can decide whether publishing a policy is likely make things better or worse. You'll also find a whole lot of Chinese botnets that send out spam with random return addresses including yours, but they're not hard to tell apart. R's, John