Most of confusion with email authentication historically came from two things: SMTP envelope address might not be equal to content From: address, and there was no clear policy whether to expect DKIM signature, or to which address apply SPF check.
SPF is enough to prevent spoofed source of SMTP envelope, but not for From: spoofing. (applying it to From: address would reject any forwarded mail, which probably isn't desired)
DKIM ensures legitimacy of From: address, and works correctly with forwarding. But DKIM itself doesn't specify whether you should require DKIM signature. (ADSP record allows to specify that, but it wasn't deployed nearly at all)
DMARC record is used to specify unambiguous policy, and it passes when either SPF is aligned with From: address, or there's valid DKIM signature. Thus DKIM+DMARC is enough to prevent spoofed mail, but SPF is usually kept in case some servers still don't support newer methods. SPF+DMARC would also prevent spoofing, but will also reject forwarded mail.
Note that SPF+DKIM without DMARC doesn't really protect against spoofing, because SPF checks only envelope address, and you cannot tell whether DKIM signature is required.
SPF is enough to prevent spoofed source of SMTP envelope, but not for From: spoofing. (applying it to From: address would reject any forwarded mail, which probably isn't desired)
DKIM ensures legitimacy of From: address, and works correctly with forwarding. But DKIM itself doesn't specify whether you should require DKIM signature. (ADSP record allows to specify that, but it wasn't deployed nearly at all)
DMARC record is used to specify unambiguous policy, and it passes when either SPF is aligned with From: address, or there's valid DKIM signature. Thus DKIM+DMARC is enough to prevent spoofed mail, but SPF is usually kept in case some servers still don't support newer methods. SPF+DMARC would also prevent spoofing, but will also reject forwarded mail.
Note that SPF+DKIM without DMARC doesn't really protect against spoofing, because SPF checks only envelope address, and you cannot tell whether DKIM signature is required.