Controversy around SPF
When E-Mail was documented in 1982, E-Mail was meant to be decentralised. The uprise of ISP ISPs, such as Yahoo, Hotmail and Gmail, a few decades later, has defeated this purpose.
Recently, In may 2023, the authors of RFC 8058 discovered severe flaws in SPF. Big ISP ISPs tend to store all their IPs in a single SPF record. Customers who use their own domain for sending are instructed to add an include to this SPF record in their own domain's SPF record. This way, all domains sending via Gmail have all Gmail IPs included in their SPF. Impersonating a Gmail customer's domain on a Gmail SMTP connection results in SPF pass.
Because DMARC requires SPF or DKIM to pass, this discovery also implicates the security of the DMARC protocol. And because BIMI depends on DMARC, also BIMI can't be trusted anymore as long as this issue hasn't been solved.