Sorry but i don’t get your point. This post is not about what is visible to end-user but more about combining different technologies ( SPF, DKIM and DMARC) in such way to add more value to Spammassassin.
Since DMARC was not present in Spammassasin by default trough a plugin this was/is a technique to bring also DMARC in equation. It doesn’t mean that you don’t check anymore anything else.

Ordinary SPF (and therefore the spamassassin SPF_PASS test) only works with the envelope sender, which is often not visible to users. DKIM and DMARC are supposed to check the “From” header address, however the rules in this blog post will ignore this address if only the envelope sender address passes the SPF checks.

It was never about the math.
You math is fine and i understand your point but you started your investigation from the fact that in order for DMARC to pass you should have DKIM OR(and not AND) SPF to pass.

Actually the DMARC specs ( if you read RFC7489) is leaving a lot of space for interpretation. Plus this is not a standard but an informational RFC.

Just two examples:
1) is actually is enforcing that DMARC should not replace local policy.
I quote: “Mail Receivers MAY choose to reject or quarantine email even if email passes the DMARC mechanism check. The DMARC mechanism does not inform Mail Receivers whether an email stream is “good”. Mail Receivers are encouraged to maintain anti-abuse technologies to combat the possibility of DMARC-enabled criminal campaigns.”
2) is saying that “different treatment of messages that are not authenticated versus those that fail authentication” is not in the scope of this RFC.

It was never about “&& ||” but about how sure i am when i want to reject. Since both DKIM and SPF have their own flows which can be exploited in the benefit of a rogue actor i want to be very sure when i REJECT that message. Moreover my approach(which you might think is more relaxed) is also covering the situation when you don’t have the correct information about a DKIM/SPF due to a DNS issue at that time.

Long story short i prefer to build on a scoring mechanism and double check the info(in my case DKIM and SPF must fail for a DMARC rejection) rather than immediately rejecting based on only one of them.
In an ideal world where all the e-mail/domain administrator will correctly cover DKIM/SPF/DMARC than you might think to put && instead ||. In this world where false positive can be easily created due to unmaintained/incorrectly configuration i prefer to double check. Hope that make more sense now.

Please see other details on: https://dmarc.org/wiki/FAQ#How_does_DMARC_work.2C_briefly.2C_and_in_non-technical_terms.3F

this check is invalid, this -OR- logic in the () reads:
if not (DKIM_VALID_AU -OR- SPF_PASS) AND theres a policy for the domain then reject
which means an email with assuming a policy exists (1):

!DKIM_VALID_AU and !SPF_PASS == if !(0 || 0) && 1 == 1 && 1 == 1 == ACTION (GOOD)
DKIM_VALID_AU and !SPF_PASS == if !(1 || 0) && 1 == 0 && 1 == 0 == NO ACTION (BAD)
!DKIM_VALID_AU and SPF_PASS == if !(0 || 1) && 1 == 0 && 1 == 0 == NO ACTION (BAD)
DKIM_VALID_AU and SPF_PASS == if !(1 || 1) && 1 == 0 && 1 == 0 == NO ACTION (GOOD)

if no policy exists (0) we are always NO ACTION (GOOD)
Basically its not failing out and runing the domain’s policy for a failure of individual parts.

Test with a quick perl script (play with the 3 variables up top):

#!/usr/bin/perl
$DKIM_VALID_AU = 1;
$SPF_PASS = 1;
$POLICY = 1;

$PRES = int( !($DKIM_VALID_AU || $SPF_PASS) );
$RES = int ( !($DKIM_VALID_AU || $SPF_PASS) && $POLICY );

print “DKIM_VALID_AU=$DKIM_VALID_AU SPF_PASS=$SPF_PASS PAREN RESULT=$PRES RESULT=$RES AKA: “;

if ($RES) {
print “ACTION\n”;
} else {
print “NO ACTION\n”;
}

POLICY=1 DKIM_VALID_AU=0 SPF_PASS=0 PAREN RESULT=1 RESULT=1 AKA: ACTION
POLICY=1 DKIM_VALID_AU=0 SPF_PASS=1 PAREN RESULT=0 RESULT=0 AKA: NO ACTION
POLICY=1 DKIM_VALID_AU=1 SPF_PASS=0 PAREN RESULT=0 RESULT=0 AKA: NO ACTION
POLICY=1 DKIM_VALID_AU=1 SPF_PASS=1 PAREN RESULT=0 RESULT=0 AKA: NO ACTION

The following will actually work (tested for all cases):

meta DMARC_REJECT !(DKIM_VALID_AU && SPF_PASS) && __DMARC_POLICY_REJECT

if not (DKIM_VALID_AU -AND- SPF_PASS) AND theres a policy for the domain then REJECT

Validate by changing that perl script logic to match:

#!/usr/bin/perl
$DKIM_VALID_AU = 1;
$SPF_PASS = 1;
$POLICY = 1;

$PRES = int( !($DKIM_VALID_AU && $SPF_PASS) );
$RES = int ( !($DKIM_VALID_AU && $SPF_PASS) && $POLICY );

print “DKIM_VALID_AU=$DKIM_VALID_AU SPF_PASS=$SPF_PASS PAREN RESULT=$PRES RESULT=$RES AKA: “;

if ($RES) {
print “ACTION\n”;
} else {
print “NO ACTION\n”;
}

POLICY=1 DKIM_VALID_AU=1 SPF_PASS=1 PAREN RESULT=0 RESULT=0 AKA: NO ACTION
POLICY=1 DKIM_VALID_AU=0 SPF_PASS=1 PAREN RESULT=1 RESULT=1 AKA: ACTION
POLICY=1 DKIM_VALID_AU=1 SPF_PASS=0 PAREN RESULT=1 RESULT=1 AKA: ACTION
POLICY=1 DKIM_VALID_AU=0 SPF_PASS=0 PAREN RESULT=1 RESULT=1 AKA: ACTION

POLICY=0 DKIM_VALID_AU=1 SPF_PASS=1 PAREN RESULT=0 RESULT=0 AKA: NO ACTION
POLICY=0 DKIM_VALID_AU=0 SPF_PASS=0 PAREN RESULT=1 RESULT=0 AKA: NO ACTION

If any of the conditions are 0 (fail) then the policy is enforced. If everything checks out its ignored. No policy means no action.

Thanks so much for the information about how to set the DMARC check up via AskDNS. Hopefully this correction helps make this method even better.