First, all the known identities are tested in search of a
positive result. (A positive result requires that both
authentication and policy tests pass.) If the policy test
passes, that means "the purported sender is known not to be
a spammer domain";
Which will include all domains the spammers uses only once per spam run, unless
your policy tests sources are updated in real-time and have large enough sample
to detect re-use of domain within spam run.
if the authentication test also passes,
that means "the sender really is from that domain."
Which spammers can easily declare on their "throw away" domains.
I do not see per-domain anti-forgery as useful for anti-spam over the long-run.
In short term, it will catch spam that is still doing forgery. I see it very
useful to prevent phishing of popular corporate domains. And it could close
the door on future widespread spooging. But it is trivial for spammers to use
"throw away" domains to continue to spam. A $10 domain (with a stolen credit
card) is nothing comparing to the $100s earned per spam run.