Excuse me for jumping into the middle of this discussion...
Another thing that really bothers me is the potential for malicious
'punishment':
This is an area that causes me concern as a developer implementing SPF
into our product. We have a history of allowing our customers to use a
variety of on-the-fly lookup techniques (IDENT and, later, various DNS
blocking lists) and while they may serve the purposes, they also tend to
introduce possible support issues when their MTA stops accepting mail
reasonably because of a problem elsewhere on the network.
Our customers want SPF support. I think that there is a lot of potential
that makes it worth implementing, but I can't get over this nagging
feeling in the back of my head that it opens up a customer to a new
variety of DoS attacks (both the mail recipient's MTA and any DNS
servers possibly referenced in SPF records) that will be harder to limit.
--Marc