"Dan Field" commented:
If we are using the latest received header (The last MTA to handle the
message), then trust should be ok shouldn't it?
Only if you trust that MTA!
I don't know what configuration you (or other readers ) might have in mind.
There are configurations in which you could trust the MTA (and also know what
the format of the Received header is) - e.g. if the message is received by a
backup (SPF-ignorant) MTA and then passed to the primary MTA within the same
administration, then I would think you could safely do the SPF test the way you
suggest.
But, in general, e.g. if done at an MUA on a message handled for you by an MSP
not under your control, then you are dependent on the level of trust you have in
that MSP.
And if the 'latest received header' was inserted by someone you have no
knowledge of / control over(e.g. a forwarder) then you really would be at risk.
HTH
Chris Haynes