Eventually we'll probably bump "?all" to a stricter "~all" aka SoftFail, which tells the receiving side that only mail coming from the listed subnets is valid. Most ISPs will route 'other' mail to a spam folder based on SoftFail.
I guess this means that people will no longer be able to successfully use a @wikimedia.org address in their from: field unless they are WMF employees (or whatever) and use the Google Apps address via webmail or SMTP-AUTH? Not that I care, but all such existing users should probably be warned.
I was under the impression that ~all softfail is not an assertion that something is not authorized and the only way to actually assert that is with -all hardfail.
Please bug me with any questions/comments!
Nemo