Phishing emails from valid email accounts (no links, attachments, just looking for data)

Your SPF/DKIM won't protect you from incoming mail as that's used to legitimise outbound mail as a way of saying 'this mail is genuinely from me, look heres our domain key and our SPF etc' - which will 'separate' your mail from spam (only for some, stricter receiving domains like Yahoo)

For inbound mail, it is very difficult to outright block these as the the spoof e-mail comes from a different address than what it's actually displaying (for your example, it's showing as the CEO). In some cases, you can actually find the sending address in the message headers instead, which I've had luck with a couple of times by blocking the sending domain. You can find this under the env-sender or return-path field if present. However, it is an ongoing battle as this backend header address will change constantly. Because of this, any best effort is utilising some sort of e-mail secrity or mail guard and hoping that their heuristic detection methods can pick up the unlegitimate emails. Other than this, there is no available solution - not every business has SPF setup so ISPs are still relaying mail without any SPF/DKIM, and so spam will continue to pass.

You can't protect against everything because the malicious content evolves, and therefore so must security. For each get-around that spoofers use we have to try our best to be one step ahead to block exactly what youre asking for. I believe they've even incorporated machine learning into this now.