Hi weaver
I hope you don't mind, but your posts are entering in on multiple things a mail server does
A lot depends upon how a mail server is setup, which any reputable ESP, would not divulge
A basic shared mail server could do the following
Full server wide enforcement
Domain level enforcement
User level enforcement
The level of enforcement is set so as the user has partial control, domain level higher control and server wide full control. However, server wide has to take into account one persons spam may not be another person spam, if you see what I mean
You will have no control over any SA plugins, only server admins have this control, but we use a variety of plugins, spf razor pyzor etc...
Access to control these are at user level, from webmail access, settings, spam
Also, yes, spammers are aware of all blocking/checking a mail server does, and a cost of a domain is very cheap, so can set all dns records up.
The idea of spf, dkims/do and dmarc records is to tell the server if email is genuinely been sent from an authorised sending server, and if it is not, what should the mail server do with the email. So this is a way to stop spammers impersonating another domain, if dns records exist. A word or warning, if using these dns records, check and recheck them, or if wrong, you email will most likely fail to be received
There's a lot more but time is short sorry, and your touching on lots of different topics
Many thanks
John