Grant Taylor via Mailman-Users writes:
Note: SPF by itself won't do anything to protect against From: header spoofing.
Sure, but if configured correctly, it gives you exactly the information you need. The problem with SPF is that a lot of header spoofing is legitimate (at least from the point of view of the sender). For example, using your school address as From on your Gmail account.
I would suggest that you also look into DKIM and particularly DMARC filtering.
These don't help with the fundamental problem of host-based sender authentication. You still need to use a school MTA to send mail with your school address, and that often sucks from the point of view of the users.
If Valentin is willing to enforce that (in my experience, pretty draconian) restriction, SPF is good enough for the application at hand, DKIM is more robust against many kinds of forwarding. DMARC policy (other than "none") is likely a disaster in an educational setting.
Steve