Office 365 policy negates DMARC because it trusts header-from

Hi,

(I hope this is the right board...)

In https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dmarc-to-validate-email?view=o365-worldwide#how-office-365-handles-inbound-email-that-fails-dmarc, it says:

• Office 365 treats p=reject and p=quarantine the same way
• If Office 365 rejected these messages, people could lose legitimate email and have no way to retrieve it. Instead, these messages will still fail DMARC but they will be marked as spam and not rejected.
• If desired, users can still get these messages in their inbox through these methods: "Users add safe senders individually by using their email client"

That bold statement completely negates DMARC:

• For some reason, e-mail from mailto:person@example.com fails DMARC.
• mailto:person@example.comis added as safe sender.
• everybody can now spoof mailto:person@example.comagain.

The whole point is that the header "From:" can't be trusted.

Isn't this the wrong way of doing things?