[johngalt]

SPF = This list of servers are authorized to send email for my domain.

DKIM = This specific email can by verified/authenticated by my DNS.

DMARC = What to do with email that doesn't comply with above. And how to tell me about it (if you want to).

SPF is basically useless due to the centralization of email providers. It was created to be locked to a company specific email server. E.g. Only accept mail from exchangeserver.company.com, and reject everything not from that server. Now everyone authorizes Microsoft or Google to send their mail.

[judge2020]

Technically SPF is still useful if you trust that Microsoft and Google aren't allowing arbitrary email to be sent from non-verified email addresses, which it seems both do (although neither seem to require periodic re-verification).

[aj3]

SPF (alone) is useless because it actually does not check the sender's domain in the From header (as one might naively think). Instead it only verifies Envelop Sender which can differ (intentionally) from the mail seen in From header.