Is DKIM and SPF sufficient to avoid inbound email spoofing from a certain domain? For example, can I trust that an email from [email protected] with valid gmail.com DKIM and SPF is really from [email protected]?
Within the bounds of your question, yes. As long as you have a good signature that matches the record published by the email sender, you can be assured that it's valid (within the bounds of the encryption security, don't trust keys less than 1024 bits).
DMARC is the coordinating standard that informs servers of whether they SHOULD accept email that has a failing signature. gmail currently published a DMARC record saying to accept all email from gmail.com, even if it has a failing signature. That makes things a little more complex.