IP spoofing forges, or "spoofs," the source address in the header of an IP packet to make it appear to have originated from another machine -- the source address being the address from which a packet was sent. In order for spammers to use this technique, they would have to spoof the entire TCP sequence, which is highly unlikely and hasn't been seen in the wild.
If somebody could come up with such an attack, then yes, he or she would be able to pass through an SPF check, as long as the spoofed IP address matched that of a machine genuinely allowed to send mail for that domain and email address. Email spoofing, on the other hand, is extremely common, and SPF plays a role in preventing this source of spam. Email spoofing occurs when spammers alter the email header so the message appears to have originated from someone or somewhere else.
SPF provides a method whereby a mail server or mail transfer agent (MTA), when it receives an email, can confirm the sending server is authorized to send mail on behalf of that address. Domains publish Mail Exchange (MX) records in the Domain Name System (DNS), specifying which machines receive mail for the domain. SPF is basically a reverse MX record, specifying which machines are authorized to send mail from the domain. Published SPF records include attributes that uniquely describe an organization's email, including authorized senders and mail server IP addresses. Additional information on SPF can be found at Open SPF, which includes a comprehensive FAQ that reviews how to block large amounts of spam even before SPF checks occur.
To help reduce unwanted email, you should follow best practices, performing all spam-filtering tests and rejecting unwanted incoming emails while the sending server is still connected. If your server accepts an email and then decides it's spam, any reply to the sender's address indicating the message failed is likely to be to a valid but forged address. This is known as email backscatter and is a problem in itself.
SPF checks require DNS queries, which are somewhat computationally expensive. If you can't reject email at the SMTP connection, you should reduce the amount of backscatter by sending emails using schemes such as Bounce Address Tag Validation, a mechanism for assessing the validity of an email's envelope return or bounce address.
If email authentication becomes universal, then spammers will have a much tougher time getting their emails delivered. If you're interested in learning more about the various emerging methods of authenticating email, check out the Messaging Anti-Abuse Working Group white paper, Trust in Email Begins with Authentication, which was published last year.
This was first published in August 2009