> Yes, good spammers make sure their DMARC, DKIM and SPF are correct.

Many do, but not all. One of the hats I wear at work is mail server administrator, and it's astonishing the number of spam and phish attempts using our company domains that I see from all over the world, all of which bounce off due to SPF.

I've noticed too in recent years that some phishing spammers seek out established domains with liberal SPF (either no SPF or ~all) and use those for their phishing attempts. Some of the most common I've seen, ones that stuck in my mind, were secure.net, yale.edu, and servermail.com.

A point I have to reiterate to colleagues over and over is that SPF and DKIM are a form of identity management for domains. They're designed for phishing prevention, not general spam prevention. If you register a domain for any purpose, the first thing you should do, in my opinion, is stick a "v=spf1 -all" in DNS for it. Otherwise, phishing spammers may ruin its reputation before you get a chance to use it.