Happy new year. Sorry that the first post of January is about challenge/response (again), but surprisingly few people seem to get it.
There's this idea floating around that challenge/response filters are OK if they check SPF, SenderID, or DomainKeys -- only challenging messages that pass those checks.
Twaddle. This idea that SPF or SIDF or DKIM can tell you whether a message is forged is naive.
Firstly, implementation on the sender side is spotty. If there's no SPF record or DKIM header to check, you're back to square one.
Secondly, don't forget that most spam is sent by virus-infected computers (corralled into a botnet). There's nothing to stop virus writers from sending spam that passes an SPF/PRA/DK check at the receiving end.