Why does DKIM not stop spoofing by itself?

Because DKIM only proves domain control. It does not enforce alignment with the visible From address.

A malicious sender can still use captain@tidalmail.com as the From line while signing the message with a completely different domain.

This is why DMARC is required. DMARC forces alignment.