John Levine writes:
Thinking about it this way, I'm not really sure what's being considered for DMARC, ...
Nothing specifically for DMARC.
Yeah, I got that far.
OAuth just avoids the need to ask the user directly for her password. Once you have access to the subscriber's submit server, you can run the decorated message through it to get the mail providers's signature, then remail that.
This is potentially a lot of remailing, though. Somebody who has been posting twice a day to a mailing list with 1000 subscribers suddenly goes from 10 outgoing messages a day to 2008. I suppose this is just a drop in the bucket for the MTAs, but I wonder if the mailbox providers will really go for this given their sensitivity to taking responsibility for anything (except keeping spam out of their users' mailboxes).