I'm sorry for the vague title. I don't fully understand why SPF and DKIM should be used together.
First: SPF can pass where it should fail if the sender or DNS is "spoofed" and it can fail where it should pass if some advanced setup of proxies and forwarders are involved.
DKIM can pass where it should fail, either because of an error/weakness in the cryptography (we rule this out, hence the simplified point), or because the DNS query is spoofed.
Since the cryptography error is ruled out, the difference (as I see it) is that DKIM can be used in setups where SPF would fail. I can't come up with any examples where one would benefit from using both. If the setup allows for SPF, then DIKM should not add any extra validation.
Can anyone give me an example of the benefit of using both?