Quoting John Keown <jdk(_at_)nni(_dot_)com>:
Too many people are looking at spf records from the administrator eyes and
not from the spammers eyes.
Right. Because we don't think interfering with spammers is as high a priority
as serving our users and being sure they can send and receive all of the
legitimate mail they need to. Because that, not being superspiffo
spam-warriors, is our job.
Therefore the domain with excessive ip ranges in the spf records are just
asking to be used by the spammers.
If my only two choices are "usable by my users, and therefore, collaterally
usable by spammers" and "not usable by my users, but safe from being used by
spammers," I'll opt for the first every time. The purpose of this whole
discussion, and any technology, is to determine how you can do the best job
possible with no collateral damage.