All of the things you mentioned exist as DNS records. When a system is trying to figure out if an email came from someone who’s allowed to send email from that domain, it checks these records. Look at it as if you’re receiving a package from Amazon (this is a really loose analogy, but it kinda works):

SPF – Think of this as a list of employees of a company. This is like Amazon saying: “This employee (IP address) is allowed to send you a package (send you an email) using our system, and anyone who isn’t on this list is not allowed.”

DKIM – Think of this as a notary, someone who “signs” the email as you would a legal document or bank check. You check this to make sure the company (or system) that sent the package (email) is the one you expect. This is like Amazon sending you the package in one of its own trucks, with an Amazon driver wearing an Amazon uniform.

DMARC – This tells your system what to do if you get something that’s not obviously from Amazon’s system (SPF) or delivered by an obvious agent of Amazon (DKIM). Most of the time, it’ll tell you to send it to the spam folder, or just delete it altogether. This is like refusing a package or letter from someone you don’t know (I don’t have a good analogy here because Amazon doesn’t really instruct people what to do when they get fraudulent packages).