While the DKIM passes, the SPF fails (per the Yahoo screenshot), so if I have this right a bad actor would still need to hack the legitimate senders DNS records (assuming DMARC rules are set up somewhat strictly). Do I have this right?
Of course, if you can modify the SPF records, you can make the DMARC record say whatever you want.
Of course, if you can modify the SPF records, you can make the DMARC record say whatever you want.