Peter N. M. Hansteen asks the question, "Does Your Email Provider Know What A "Joejob" Is?" in his blog and provides some data and discussion. He provides anecdotal evidence which seems to indicate that Google and possibly other mail service providers are either quite ignorant of history when it comes to email and spam, or are applying unsavory tactics to capture market dominance.
[Ed Note: I had to look up "joe job" to find out what it is. According to wikipedia:
A joe job is a spamming technique that sends out unsolicited e-mails using spoofed sender data. Early joe jobs aimed at tarnishing the reputation of the apparent sender or inducing the recipients to take action against them (see also e-mail spoofing), but they are now typically used by commercial spammers to conceal the true origin of their messages.
]
(Score: 0) by Anonymous Coward on Monday April 25 2016, @11:59AM
> 'this mail is not spam', it was intended to say 'all emails that come from the wrong server are spam and if messages from this domain are spam then it's safe to bounce them back to this server'.
No that is not what SPF is intended to do. For one thing, who bounces spam? That goes into spam folders or is null routed. All SPF is intended to do is say whether or not the sending host is authorized to deliver the message or not. Its up to the receiving host to decide what to do with that information.
> In spite of that, the last time I was on the receiving end of a Joe Job it was from a domain that had SPF records set up correctly and the server responsible for bouncing all of the spam at me as GMail.
It doesn't matter if the spammer's domain had an SPF record, what matters is if your domain had a restrictive SPF record.
Even then it is possible to set up SPF in such a way as to permit anyone to impersonate your domain. I've seen lots of SPF guides that recommend ~all or even +all at the end of the SPF record.