Honestly not sure what, if anything, to do with SPF and DKIM. SeeingI have two goals:
1) Prevent abuse posted to a group such as that I reported to support 8/11. This is where a malcontent or crook uses credentials at an otherwise legit mailbox provider to spoof a group member's address, resulting in junk posted to the group.
2) Eliminate the need for a confirmation email and response for email commands in most cases.
Case (1) is the more important, but I think (2) is easier. Mostly because there is no adverse consequence of a failed authentication in case (2) - you just send the confirmation email as you do now. You could accept the OR of two tests: a valid DKIM, signed by the header-from domain as one test; or a passing SPF but only if the the header-from domain is aligned with the envelope-from domain as the other test. This happens to be the same as the DMARC criteria, I think. So in the case of a "pass" you send a notification of the command's acceptance and effect rather than a request for confirmation.
In case (1) the difficulty arises if both tests fail. That's sure to be true in the case I want to weed out, but I don't know how many legit messages might be affected. I think the case you cited to me on 8/13 would be one such; unless we (you) can figure out something he could tell you by way of account information that would let you make a third test that would pass his messages.
My inclination is to say that it is "good enough" if you force messages that fail both tests into the pending queue, as if sent by a non-subscriber (but with a different marking, of course). That would have allowed the group mod in my support case to discard the abuse before it hit the group.
Yes, that would be a pain for the second fellow, and his group mods. But he's already committed to switching Thunderbird to use the correct SMTP server, so that should solve his case. One down...