I think that the "registration" oriented authentication mechanisms (spf, rmx, lmap, etc.) can be useful only when the authenticator is the hosting network provider, rather than a message author.
GSH> I think widespread use of SPF will gut the major sources of spam.
Well, it will gut a great deal of email mobility and third-party services. It will mean you can no longer use just about any SMTP server you like. But why can't you use your ISP's submission server using SMTP AUTH? I do not see that this adjustment to roaming users is serious, there are plenty of ways your organization/ISP can continue to provide email to it's users and use SPF.
It will probably have no meaningful effect on actual spam. Oh, it will.
For example, as you note: GSH> Then, of course, the spammers will find other ways... And we will deal with those ways as well. If not, then lets roll over right now.
That means that _at best_ MTA author registration schemes, like SPF, are tactical responses. There are forums for discussing smtp replacement, SPF is not meant to be a replacement for SMTP but augmentation; yes, that's tactical.
The problem is that they cause a _strategic_ change to the email semantic model; and the scaling effect of its administration is really quite terrible. I don't see that. This is really no different from when just about everybody had to secure their open relays or stop using email, or secure their proxies or go under, or... It's not strategic in and by itself. It's effect on mail server management and efficiency is probably more than using black lists (depends on how many you use today), it will mean some dns administration, but hey! we are in the it business, this is to be expected, we don't expect stagnation do we?
Pretty massive effect, for such a short-term benefit. It's pretty straight forward. There are details to it, especially on the dns records but other than that, it's less massive than black lists probably.
Not to mention that, on the Internet, it is never possible to deploy anything in a short-term time-frame. Not everywhere. It will take some more time than closing open relays perhaps.
And, oh by the way, all SPF tries to do is to authenticate the From field. Not quite. It only "authenticates" the domain part of the From field.
Forgive me for not being reassured that wide use of SPF will merely mean that the spam I get will have a valid From field.
There are estimates that 40-70% of spam today is from spam proxies. If a spam proxy sends mail to a SPF enabled MTA with a MAIL FROM where the domain has SPF records then the MTA can easily slice and dice at will. That's pretty drastic. If it only puts spammers back to the drawing board for a while then it's quite worth it, because their old techniques are becoming very inefficient. Rgds, -GSH