There are many ways to be more selective about from whom to accept email. SPF, DKIM, DMARC, and various blacklists are among them. They are supposed to make life harder for spammers. But they have also made running a mail server something that few dare to try anymore. Setup is not easy, but getting blacklisted is, and it causes silent delivery failure, and takes days of work to fix.
As a result, most of the email is run by Microsoft and Google. But that didn’t stop phishers. They just go after people at smaller companies where security isn’t as tight yet, and then they’ve got valid Microsoft accounts to send from. Liars and Outliers by Schneier is about this sort of dynamic.
As for PKI: If I may assume you to be, or have been, affiliated with an armed service – Whose property is your CAC? And why did you use a pseudonym to make this post? (I mean to be pithy, not sarcastic.) I think Liars and Outliers by Schneier is all about this sort of thing - but I didn’t get much of it read before it was due back at the library.
They are made (I think) to be implementable - even, to give implementors some flexibility. Then everybody goes and buys a tool to do it, and not that well. I thought 15 years ago that security configuration was a (voluminous) subset of system configuration and system administration, ripe for automation and rigorous documentation - not something to pay a different vendor for. But the market says otherwise. When you can split some work across a whole team, or even into a separate company, instead of glomming it into one job, that’s worth money to businesspeople.