That's an excellent question, especially since LinkedIn publishes an SPF record specifying both the IP ranges and the second-level domain name of legitimate MXes for its mail; prior to the DNS hijack, I'm not sure how it would be possible to carry out the phishing attack without giving any hint of foul play. (I do implicitly assume such hints would've stopped the target from clicking the bogus link, but given the way he's described in the article, I think that's not too unreasonable an assumption.)
SPF only checks the message envelope. His target's email provider may not correlate the MAIL FROM statement in the envelope with the From header inside of the message content. Some large webmail providers will use this mismatch as a cue to send a file to the spam folder.
Delivering a targeted phish requires situational awareness, but it's quite feasible to pull off something convincing.
