Michel Bouissou <michel(_at_)bouissou(_dot_)net> raises the issue of the link
(failure) between legitimacy and responsibility. Perhaps an analogy is
in order to show that the lack of a link is not a failure.
If I own an automobile, the authorities can check the license plate or
VIN to determine that I am the legitimate owner. I am normally
responsible for activities using that vehicle. If the vehicle is
stolen I am not normally held responsible for activities using that
vehicle as long as I take reasonable steps (reporting the theft, etc)
upon determining the vehicle has been stolen.
The same holds true with regard to mail servers and SPF. The SPF
record asserts the legitimacy of the mail server for a particular
domain. Normally we would expect the domain owner (person or
organization) to accept responsibility for mail originating from that
machine. If the machine has been hijacked and used in reprehensible
ways, I would look to how long and what the owner did to deal with the
problem. If the machine was compromised and spewed mail for a short
time (Say an hour or two) that is different than if it was happening
for months on end.
Personally I look at SPF as a brick in the wall. By itself it will not
stop bad people from doing bad things. Taken together with other steps
it raises the barrier for people wishing to do bad things.
Just my 2 cents.
Mike