SPF/DKIM/DMARC are not intended to authenticate email senders. So it is no great surprise that they don't work for that purpose. SPF/DKIM/DMARC are intended to authenticate email servers.
If you want to authenticate an individual email sender then that sender would sign their email. Just like with paper mail. Sure you can try to determine if the sender is legit by looking at the postmark on the outside of the envelope but that is not what it is for. The result will and can not be reliable.
"Sender" refers to the domain, read it as: the sender domain policy allows X and Y servers to deliver emails for this domain (or subdomains).
But I agree that is confusing, also I was unaware that only the HELO and MAIL FROM in the envelop are used, I should check my postfix config..
Right, the "Sender" in SPF is the Originating Entity (domain/domain owner), which defines a policy to explicitly bless a set of mailhosts allowed to send messages on behalf of users.
Posted article uses "Sender" for the user, not the entity. Authentication inside the entity is the entity's responsibility. SPF is only concerned with verifying that the mailhosts offering to deliver messages on behalf of entity are allowed to do so.
If you want to authenticate an individual email sender then that sender would sign their email. Just like with paper mail. Sure you can try to determine if the sender is legit by looking at the postmark on the outside of the envelope but that is not what it is for. The result will and can not be reliable.