It's pretty straightforward - a scammer isn't really tied to the real sending domain of a company. Let's say there's a company.com sending domain which identity I'd like to spoof. If I was a spammer I would be aware that:
- top mailbox providers are likely to filter out or land into Spam all the mail which isn't authenticated the same way as original emails coming from it
- most of email users see and care only about visible part of from email but not the real from address
So what's the reason for me to use "Company Name <noreply@company.com>"? I would rather go with "Company Name <noreply@c0mpany.com>".
And as soon as I'm not using the original domain name DMARC policy of company.com becomes useless.
Couple years ago I had sales calls with a Agari and Return Path representatives in regard of their DMARC-based solutions. The only question I've asked them was "What's the point in your product if a spammer can easily avoid any DMARC-based defense?". I've got no real answer.
Today I've found the proof that I was right. Return Path whitepaper states DMARC is protecting brands from only 30% of email-borne attacks.