The current DMARC policy for atlassian.net domain and subdomain does not request the receiving server to take any action for an e-mails received with failing SPF or DKIM settings.

As a result, an abuser can create an e-mail via our product and then forward to a large number of target addresses. The receiving mails server will detect an SPF / DKIM / DMARC issues but may not take any action. For a user, the forwarded e-mail looks like being sent from Atlassian.