Because it’s a bunch of hot air with very, very little substance.
We run all deployments with p=reject and security policy set to standard, and rarely get anything outside of valid 3rd parties like gmail being compromised through the filter.
We spend more time unblocked vendors and providers in office 365 than blocking and protecting.
To say it’s unsafe or putting anyone at risk is a complete joke.
Initial deployment and long term maintenance of DMARC is made harder, while messages that should never be delivered at all due to the work of other 3rd parties are allowed through. The specification ironed out all of the reasons for these procedures when it was originated. There's nothing about Office 365 that should make it a special exception to the specification.
It's everybody else's reject policies not being enforced that are the problem, not your own.
We run all deployments with p=reject and security policy set to standard, and rarely get anything outside of valid 3rd parties like gmail being compromised through the filter.
We spend more time unblocked vendors and providers in office 365 than blocking and protecting.
To say it’s unsafe or putting anyone at risk is a complete joke.