I think perhaps SPF is supposed to match against the sender in the envelope, or possibly the received header, rather than the From header, which is trivially forged.
Others will be able to give more information. I know the rule score of .001
is deliberate, but I don't recall immediately why. It probably had
something to do with the test being forged.
Loren
