[aj3]

Eh, DMARC is meant to solve different problem. E.g. when your accountant receives spoofed mail with a fake invoice supposedly coming from a legit supply chain provider. They might be trained to check domain that was used to send email but without DMARC non-techies won’t be able to notice well made spoofed email.

[upofadown]

Assuming that the email client used even shows the domain. If you can train your employee to do an obscure technical check you can for sure train them to verify invoices. After all, if you don't then the legit supply chain provider can just generate fake invoices.