Email Authentication lets you demonstrate that you sent a particular email.
Email Repudiation is a claim that you didn’t send a particular email.
SPF is only for email authentication1
DKIM is only for email authentication
DMARC is only for email repudiation
1 SPF was originally intended to provide repudiation, but it didn’t work reliably enough to be useful. Nobody uses it for that now.
Authentication and Repudiation
A
RSS - Posts
It’s not quite true that nobody uses SPF for repudiation. A plain “-all” SPF is somewhat useful for a domain to say that it sends no mail at all. But other than that, you’re right, and as we all know, DMARC’s repudiation model has some severe problems too.
Senders can certainly use “-all” to state they send no mail – and that can be useful information to publish – but receivers pay no attention to it, because they don’t special case just a “-all” record, they just see it as an SPF failure and they don’t reject mail that fails SPF.
Edit: Special-casing “no mail” is supported in some SPF checking code, and it’s probably a good thing to enable, but when I tested a few big ISPs a year or so back, none of them seemed to do that.