The SPF RFC states that the SPF controls are only really useful in certain situations, because the MTAs alone can block a lot of spam before the SPF test even takes place. To do this, you have a list of controls here that you can use to block a lot of spam, and all you have to do is test messages for SPF that still arrive.
Note that the rules 3 & 4 are often violated by legitimate but unsuspecting domains that do not take this kind of detail into account. You can also configure these settings in Postfix at http://www.postfix.org/uce.html