Another would be to verify message source
SPF and friends have been around for a long time - the problem is that far too many people simply don't care. Publishing a record goes a long way[1] towards preventing spoofing, but far too many domain administrators will gladly write enormous essays about how it takes too long rather than add a single TXT record to their DNS (which would take them just a few minutes). People are actively hostile towards protecting their own assets...
Vic.
[1] SPF cannot be perfectly effective until everyone uses it - but that doesn't mean that the partial effect we have already doesn't make a huge difference to the problem.