My information may be out-of-date, but might perhaps give you some input. I left the on-premises Exchange world several yeas ago, except for configuring hybrid Exchange environments. At that time you needed 3rd party modules on the Edge servers to handle DKIM and DMARC for outbound mail. There were no modules for verifying incoming mail with either DKIM or DMARC (DKIM is by the way a DMARC requirement).
So out-of-the-box you should have no better spoofing protection.
As to check for SPF, you must enable and configure Sender ID within Exchange 2013 or 2016. Do the following:
$env:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1
Set-SenderIDConfig -SpoofedDomainAction Reject
Restart-Service –name MSExchangeTransport
For more information, see https://knowledge.broadcom.com/external/article/178825/how-to-enable-sender-id-filtering-for-ex.html
For extremely useful articles on SPF, DKIM and DMAC with on-premises Exchange, see SENDERID, SPF, DKIM AND DMARC IN EXCHANGE 2016 – PART III. There are links back to the two earlier blogs. Jaap Wesselius is one of the word's leading Exchange experts (I have learned a lot from him through all those years).
https://jaapwesselius.com/2016/08/23/senderid-spf-dkim-and-dmarc-in-exchange-2016-part-iii/
If I may come with a personal recommendation: Use Exchange Online Protection (EOP) as your SMTP gateway, preferably add Office 365 Advanced Threat Protection (ATP). There you have it all. Easy to set up SPF, DKIM and DMARC. Protection against dangerous links and attachments, spoofing, impersonation, zero-day threats. All the security based on AI and machine learning.
The easiest way would likely be to set up connectors between Edge and EOP. This works either your Edge server is set up with a subscription or not. One benefit of subscribing is that you can configure a hybrid Exchange environment from your Edge server.