You ask SPF: "I have someone coming from a certain IP address. They claim to be a certain sender. Are they for real?"

SPF will tell you one of four things:

1. The sender is good, the sender has previously announced that they do send mail from that IP address.
2. The sender is bad, the purported sender has published a list of IP addresses they send mail from, and the client IP isn't one of them.
3. The sender may be good or bad: the sender domain is in a transitional phase; it is methodically converting its users to be SPF compliant, so we should go easy on any violations for the present.
4. SPF doesn't know: the sender has not published any IP addresses, so the message could be legit, or it could not.

SMTP without SPF cannot do that.

For SPF to answer the question, domain owners have to designate which IP addresses send mail for their domains.

For example, hotmail.com would publish a SPF list that includes 65.54.247.109, 216.33.241.106, and 207.68.163.86, which are all servers which you could reasonably expect to see a hotmail message coming from. But if someone connects from 80.34.201.194 and claims to be a hotmail sender, you would know better than to believe them, because that IP address isn't on the list.