SPF (and its predecessors and derivatives, including Sender ID) attempt to reduce the guesswork related to the source IP address by providing a way to confirm, with varying levels of reliability, whether that IP address is allowed to send mail on behalf of a particular domain name. Each SPF-like protocol varies regarding how to decide which domain name to check, but the IP/domain comparison is basically the same. There are of course problems with this approach, but I won't get into them right now.

I spent a while thinking about it in my last job, and even more time since, and I just can't think of a way to explain SPF(-like) results to end users without dangerously oversimplifying.

DomainKeys and DKIM (in its current pre-IETF form) take a different approach, providing a way to confirm that a particular message came from a particular domain name. Again, the two vary slightly regarding how to decide which domain name to check, but not in a damaging way.

Yahoo! and GMail already show users the results of a DK check, basically saying "this message was signed by example.com." In the future, some domains -- usually banks and such, which have a vested interest in carefully controlling who gets to use their domain name -- will be able to specify that they sign ALL of their mail, at which point mail clients will be able to point to messages which lack DK signatures and say "this message should've been signed, but wasn't. Watch out!" or reject it entirely. Future non-web-based mail clients will do something like that too.

Then there's the argument about how spammers have been using SPF and DomainKeys. That's great! If spammers make themselves easier to find, then it's easier to apply (ahem) appropriate policies to their mail.