People keep trying to use DMARC as some sort of sender authorization scheme. It continues to be a server reputation scheme.

An unsigned email is still anonymous, no matter what DKIM and SPF say. It should be treated as such. No one should ever think: This email passed through a Google email server at one point. It must be legit.