Jim Popovitch writes:

Unless I am mistaking things, the sheer irony here is that Yahoo's bastardized version of DMARC, which is necessary to stave off collateral damage from their past security breach(es?), needs to be further augmented with even less user security in order to be secure.

I don't see why the OAuth version of John's proposal would be less secure.

If you want real irony, look no farther than Yahoo! Groups' From: header field. Yahoo! is using DMARC to get "yahoo.com" out of the From: field in list traffic, and Groups is putting it right back in.