A Little History: Why Email Addresses Are So Easily Spoofed
Each time an email message was sent, the receiving email server would compare the IP of origin for the message with the IP address listed in the SPF record for the email address's host (the "@example.com" part.)
The DMARC boils down to two important flags (although there are 10 total) - the "p" flag, which instructs receiving servers on how to deal with potentially phony emails, either by rejecting, quarantining, or passing; and the "rua" flag, which tells receiving servers where they can send a report about failed messages (usually an email address at the domain admin's security group). The DMARC record solves most of the issues with SPF records by taking the burden of deciding how to respond away from the recipient.
How Spammers Spoof Email Addresses
The email should have worked without issue, and appears to be from whomever you said it's from. There's very little to indicate this didn't come from their inbox, until you view the source code of the email ("View original" option in Gmail). [ed note: see image above]