I get the verification the email actually came from the domain (i.e., someone, who has the credentials of an insider) vs. an email that was totally spoofed, from the outside, without any creds of the purported sender org. (Right?)

Hands on keyboard? You're right, absolutely not. But I can learn something useful via DKIM nevertheless.