Once your reputation is trashed or your domain is blacklisted, how do you
get that fixed?
There may not be much of a difference if the shared MTA you're using
yields a 'neutral' or 'pass' result.
My main problem with a "v=spf1 ?a:example.com -all" is (which itself is a
fairly restrictive policy), that it can't be distinguished from a very
lenient "v=spf1 a:example.com ?all" policy. The 'neutral' result on the
first record when I get a message from the 'example.com' server will look
identical to the 'neutral' I get when 'spammer.net' sends me a message and
the second SPF policy is in place. People judge SPF on how good it is in
making the distinction between legitimate and forged senders and having
something between 'pass' and 'fail' is not exactly helping here. I tend to
agree with Hector that we should strive for conclusive answers.
I fear that in the not so distant future, the abuse of domains which
result in a 'neutral' response for vast parts of the 'net, will lead to
the situation where 'neutral' will have a high probability (statistically)
that the sender was forged. On my MTA, more than 95% of 'neutral'
responses fall into this category. I can't keep on ignoring that.