I don't see how this would work.
Lets say I connect to xtra as my ISP, however I have a clear.net.nz email address and use xtra's smtp server to send my email. This sort of system would block it as being spam because it wouldn't be going through the correct poviders smtp server.
Which is one of the major sticking points of SPF. There are legitimate uses of "forging" domains like this...
One alternative would be to allow pop to smtp auth, but I don't see large providers doing such a thing.
Well not sure if you mean POP before SMTP or SMTP AUTH, as they're two different things....POP before STMP is hack, and should go away and die, but SMTP AUTH is a sensible way to do it, is supported by nearly all modern email clients, (at the very least, Outlook Express, Eudora, and Netscape support it) and in fact is supported by a lot of ISP's already. How to tell if your ISP supports it ? Easy, telnet to port 25 of your ISP's nominated smtp server, and type: EHLO test if one of the lines includes: 250-AUTH PLAIN LOGIN Then they support SMTP auth. Note there are two different mechanisms for SMTP auth (actually there are some others as well) PLAIN and LOGIN, and your ISP doesn't necessarily support both.
From memory Netscape and Eudora use "LOGIN" and Outlook Express uses "PLAIN", but don't quote me there...
SPF would be reasonably workable provided that the ISP thats added SPF entries for their own domains provided SMTP auth access for their customers. One major hole of SPF or any similar plan though, is that open relays are still going to work as spam conduits - since SPF is an opt in system, any open relay which didnt have an SPF entry could still relay spam, or if they did have an SPF entry, but were accidentally an open relay, spammers would just have to make sure that they used return addresses which belonged to the domain hosted by the open relay in question. The only way around that would be if your mailsystem added a "penalty" for those domains that don't have an SPF entry (for example adding extra points on spamassassin) but that doesn't seem like a very good idea either... One good side would be that those who did list their domains with an SPF entry would be less likely to be the victim of a "joe job", provided that a large enough proportion of the recipients of such spam were checking SPF... Regards, Simon