Here's how SPF is defined on Wikipedia:
In computing, Sender Policy Framework (SPF) is an extension to the Simple Mail Transfer Protocol (SMTP). SPF allows software to identify and reject forged addresses in the SMTP MAIL FROM (Return-Path), a typical nuisance in e-mail spam.
SPF is an admittedly imperfect technology, but it's simple to implement and can drastically cut down on spam and fraudulent e-mails. Of the major e-mail providers, Microsoft; Google; AOL; and Yahoo, only Yahoo doesn't have a SPF record.
So why would Yahoo ignore this? Yahoo is pushing for a different solution to the problem of forged e-mails called DomainKeys. Here's the definition on Wikipedia:
DomainKeys is an e-mail authentication system (developed at Yahoo!) designed to verify the DNS domain of an E-mail sender and the message integrity. The DomainKeys specification has adopted aspects of Identified Internet Mail to create an enhanced protocol called DomainKeys Identified Mail (DKIM).
Yahoo's scheme also has flaws, but could also work well if widely deployed, although few sites currently use it. Now here's the rub: the two schemes are not mutually exclusive. That is, you could implement both SPF and DomainKeys with no problem. So why hasn't Yahoo implemented SPF?
Well, their own mail servers will reject mail pretending to be from yahoo.com but originating from another location. So their users are protected from the spoofing of yahoo.com e-mail addresses. Yahoo hopes other people are bothered by spoofed yahoo.com e-mails in order to force people to adopt Yahoo's DomainKeys technology.
This is a dirty trick. DomainKeys is a good idea, but it is more difficult to implement and adds a large burden to mail servers for both incoming and outgoing mail. SPF is light weight and easy to implement. And more importantly, they can coexist.
So what's the deal, Yahoo? Why not enable DomainKeys and SPF on your domain?
For more information on Sender Policy Framework, visit the OpenSPF site. And if you manage a domain, be sure to use the wizard to help you determine what your SPF record should be and how to add it to your domain.