Assume we have the domain example.com with the SPF zone file entry of v=spf1 a:192.168.0.1 a:192.168.0.2 -all. This configuration would specify that the hosts 192.168.0.1 and 192.168.0.2 and no others are allowed to send mail from the domain example.com. As per your previous post, the host 192.168.0.1 is also the primary mail exchanger for this domain - Any mail however which is forwarded from this mail exchanger will not have the SMTP envelope sender address of the domain example.com but rather that of the original sender domain.
As such, if the secondary mail server, to which mail is forwarded from 192.168.0.1 is SPF aware, the incoming mail from 192.168.0.1 may be considered to be illegitimate because the SMTP envelope sender address is not of the domain example.com but rather the original sender domain. As such, when forwarding mail under SPF, the SMTP envelope sender address (or return path) must be re-written in order to ensure delivery - The requirement is described in the PDF document at http://spf.pobox.com/emailforwarders.pdf.
Note that this issue is not unique to SPF - The Caller ID proposal from Microsoft requires modifications to the
Sender header of forwarded mail messages in order not to break mail forwarding.
perl -le "print unpack'N', pack'B32', '00000000000000000000001011011000'"
