The sender policy is a request. The decision whether to follow or ignore the request is the option of the recipient system administrator, not the developer.
Consider in particular the case of p=quarantine. How do I tell the system that I have evaluated the quarantine issue and I know which identifier sets are acceptable, which are unacceptable, and which are unresolved? Any specific instance of quarantine should be a one-time event, because after the review, the system should be told how to unambiguously handle the next message with the same characteristics.
Soapbox:
All human communication is interpreted in the context of the speaker or author, and the message From address indicates the purported author of an email message. If the author identity is fraudulent, the message is inherently a threat. Therefore, every allowed message should be authenticated. The need for universal authentication means that we need the ability to test every From address, which is why we need what I called Best-Guess DMARC.
Any message without authentication may or may not be an Impersonation, but the risk should not be ignored. The only way to know the truth is to collect more data by reviewing the message details, contacting the recipient, or contacting the sender. In short, one-time quarantine is the optimal disposition for any unauthenticated From address. Sender disposition recommendation is irrelevant.
If quarantine review determines that a message is unacceptable for any reason, the relevant sender identities get blacklisted. If you block a fraudulent message without investigating to identify the fraudster, you have wasted an opportunity and put yourself at risk for a future penetration when the attacker changes tactics.
If quarantine review determines that a message is acceptable, an alternate authentication rule is needed to identify the acceptable message. To prevent successful impersonation, this alternate authentication rule must be based on a verified identifier and whatever other identifiers occur with it. This is not whitelisting, because alternate authentication does not imply exemption from content filtering. Whitelisting is a separate decision from alternate authentication. Whitelisting should never occur without authentication, because doing so creates a security hole -- an impersonation of the whitelisted address will cause the message to bypass both authentication tests and content tests, allowing the message to go straight to the payload detonation target. Unfortunately, whitelisting without authentication is the only option provided by most "security" products.
Without universal authentication, DMARC provides fake security. At its best, it forces an attacker to impersonate
Yale.edu instead of Citibank.com. Citibank may consider this a win, but it is not a win for the recipient domain. If my organization is devastated with ransomware deployed through impersonation, I will be too busy with damage control to care which company was the one impersonated.
What's worse, DMARC provides lots of ways for the attacker to collect public information to determine which domains he can successfully impersonate. Because too many people follow the same strategy used by SmarterMail development, an attacker can assume that any domain with "p=none" or "no policy" is fair game. To test things ever further, he can send a test message that impersonates a domain under his own control, then wait to see what data is returned in the SMTP response and what data is sent back to the "victim" domain in an aggregate report or failure report. Since most organizations do whitelisting for their most important correspondents, and most security products do whitelisting without authentication, the attacker can form a pretty good idea about the best impersonation domain to ensure penetration of your network.
The only defense against this is to use DMARC to ensure that all messages are authenticated. This can be done because I have done it, and have been running in this mode for a couple of years. It has protected me from a lot of stuff, both malicious and merely unwanted. There are some shortcuts to minimize quaranine effort, but this document is already long enough.
I don't need SmarterMail DMARC for authentication, but I do need it for BIMI. But I cannot turn on BIMI because I don't want automatic reject. That is why I need weighting instead of auto-reject.