Okay, let me tell you about my experience with SPF from the point of a system administrator.
SPF breaks existing MTA mechanisms like mail forwarding. You set a forward from your Google account to your Yahoo account, and voila, your mails get rejected by SPF, because they come from different IP addresses than those specified in the SPF records for the sender domain. Also, to make SPF work, you would have to persuade every receiving mailserver to discard mails that won't pass SPF validation. How users react? "My mails aren't coming through? What? SPF? What's that? I don't care, turn it off! I need my mails, I am losing money here..." Bye bye SPF. The other "workaround" people use to make sure their mail is always received on SPF-enabled servers is that they publish SPF records that allow everyone to send from their domain: "v=spf1 +all"
The basic rule states that security is always a procedure, not a technology or product or application. Sure, there are more and less secure applications, but how secure they really are depends on how they are used. Moreover, security and user comfort are in inverse proportion - the more secure procedure, the more "hassle" it brings. And people want no hassle, so security goes out of the window.
If you want secure mail, you can have it. The tools are in place for some time - DNSSec and PGP. How? Just follow these steps:
1) Sign your zone with DNSSec
2) Publish PGP public keys for every person that will be sending from your domain via TXT records in your domain. Make sure the keys are sufficiently strong and that the private keys are handled with care (password protected, preferably on encrypted filesystems)
john_doe IN TXT "<public key>"
3) Sign every mail you send with the keys you published in your DNS zone.
4) Persuade every recipient of your mails to discard any mail that is not correctly signed with the correct keys.
There, problem solved. The problem is of course point 4 - people are either lazy, or ignorant, or both. "I don't have time for this". Or similar excuses. You can either have comfort, or security.
SPF has been pushed by Microsoft for YEARS, with negligible results.
Do you want to really solve SPAM forever? Get rid of the SMTP protocol. It is very bad for today's use, where internet is a hostile place to be. Replace it with a securely designed protocol that requires a cryptographic authentication on every step, like DNSSec. Or forget it. Ain't gonna happen. Too expensive. Too much hassle.
Oh, and when establishing trust chains, don't trust PKI. PKI is broken:
https://mail1.eff.org/pipermail/observatory/2011-September/000308.html
Read about the amazing failure of the Diginotar CA on various articles. They kept issuing certificates months after it was obvious they are compromised. SSL 3.0 is broken too.
Ultimately, phishing and scam success boils down to the intelligence of the user. People don't read the certificates browser presents, they just click "Okay, I trust this, make an exception". They are willing to believe a former Nigerian oil minister wants to give them millions of dollars. As long as they exist, frauds of all kinds will prevail.
