Douglas Otis wrote:
show 12.6% of domains with name servers publish SPF records.
"Percentage of domains" and "percentage of mails" (incl. spam)
are different. Not all domains send mails (really or forged,
I'm not going to explain again why forging domains that can't
receive mails is likely not what the spammer wants). The SPF
deployment for "relevant domains" (defined by Alexa) is good
enough, see <http://utility.nokia.net/~lars/meter/spf.html>
When 4% of those then offer a possibility for FAIL, this
represents less than half a percent of domains overall.
It is likely better measured in "mails" instead of "domains".
If folks dare not publish FAILing IPs their PASSing IPs are
still relevant. After a PASS receivers can delay their spam
analysis and bounce later without causing backscatter.
SPF does not use different record types to verify IPv6 or
IPv4 SMTP client authorizations.
SPF supports both IPv4 and IPv6 natively. Its job is to
match the IP (IPv4 or IPv6) of an alleged sender (HELO or
envelope sender) against an enumeration of "permitted" or
"forbidden" IPs to get a PASS or FAIL result.
It's no rocket science to look at AAAA records when trying
to match an IPv6, or at A records for an IPv4, as far as a
policy contains any "by name" mechanisms. For the two SPF
"by address" mechanisms matching IPs is straight forward.
Skipping the rest of your rant, I've already answered that
on various mailing lists (DKIM, IETF general, ASRG, etc.).