Honestly, Tough Noogies. Let list managers make their own security decisions. AOL and Yahoo want all mail from their users to be authenticated. Well, OK, this will do it.
This is a really bad idea. In MM3, we've already eliminated the need for keeping clear text passwords, and almost gotten rid of any user passwords at all. OAUTH tokens are a little better, but no way do I want to hold a clear text password for users.
I agree it's a horrible idea. But at the moment it's the only horrible idea I'm aware of that will let lists keep operating in the way the managers and users want, with no From: munging and no bounces, using existing facilities from the mail providers.
AOL and Yahoo both have OAUTH APIs, but they are not the same, and I see no likelihood that the APIs will converge, or that the next large webmail provider to DMARC us will be compatible with either. But everyone has a SUBMIT server.
At least one of the large providers has told me they plan to do OAUTH submission, presumably with long lived tokens, which would greatly mitigate the security issues. It is my impression that if word got back that lists were considering doing the submit trick, it would motivate them to get OAUTH submission working sooner.
R's, John