I am specifically referring to Dmarc SPF alignment.
To get a Dmarc pass result, all it takes is that either SPF or DKIM aligns.
Let us say that I am an attacker, and try to impersonate abc.com. I have not set up DKIM which means I'm going to fail this check. Now SPF alignment is going to check envelope-from vs from:. What stops me from configuring a matching envelope-from and from: ?
The vast majority of domains configure ~all in their spf record (e.g. Google). I might fail this check as I don't own any of the authorized IP, but it is unlikely I would be blocked. Then Dmarc alignment would give me a pass result because my envelope-from: matches from:.
I am under the impression that Dmarc, contrary to its intended goal, would actually give me some legitimacy while impersonating another domain.