Anne Mitchell says it well and it bears repeating. SPF is not about stopping spam. It’s about making sure the purported sender domain (be it citibank.com or bank-usa.com) of an e-mail really is the sender.
SPF (and Sender ID) are, of course, considered first steps toward stopping spam. Once you know who really sent a message, you can determine whether that domain is a known spam or known ham sender. Spam gets blocked; ham doesn’t.
Anne is totally right to scream about misconceptions about SPF. After all, I’d hate for e-mail authentication to be branded a “failure” for failing to do what it was never designed or expected to do in the first place.