Wikipedia defines SPF as follows:
Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators. The list of authorized sending hosts for a domain is published in the Domain Name System (DNS) records for that domain in the form of a specially formatted TXT record. Email spam and phishing often use forged "from" addresses, so publishing and checking SPF records can be considered anti-spam techniques.
Again, this is a very nice technical explanation but what does it mean? I think of it as being something like the security that many companies maintain at their front desk, so the scenario would go something like this.
A delivery person dressed in a Marketo uniform walks up to the front desk of your lead's company (email server), and says to the person at the desk (who in our analogy would be the email security software), "Hi, I'm here to deliver email from firstname.lastname@example.org to email@example.com."
The front desk/email security person looks up and notices the uniform says Marketo, not Yourcompany. Depending on their security settings, they might just assume this is okay and buzz Marketo in to make the delivery. However, if they are security-conscious, they are going to want proof that Marketo isn't trying to trick them with a phony delivery (spoofing an email). SPF gives them the ability to call back to the DNS at Yourcompany and ask, "Hey, I've got someone here from Marketo who claims to be making a delivery for you. Is this an authorized delivery?"
If Marketo is correctly included in the SPF record, then effectively, this allows the DNS to tell them, "Yes, Marketo is authorized to make deliveries from us."
So how does this differ from DKIM? According to Wikipedia:
DKIM allows the receiver to check that an email claimed to come from a specific domain was indeed authorized by the owner of that domain which is done using cryptographic authentication.
Verification is carried out using the signer's public key published in the DNS. A valid signature guarantees that some parts of the email (possibly including attachments) have not been modified since the signature was affixed.
So if we go back to our analogy of the delivery at the front desk, it works a bit like this. When the front desk calls the DNS to make sure the delivery is authorized, Marketo has to produce an ID badge with an authorization code on it. The front desk/email security person reads that authorization code to the DNS which validates it against the code it has on record. If the code matches, then the delivery is authorized.
Some email security programs require SPF, some require DKIM, and some don't require anything at all. To be sure Marketo can always make your deliveries, you should always have both set up for each domain you use in the From: line of your emails.
Instructions for setting up SPF and DKIM can be found here.