Combine a strict SPF policy with authenticated SMTP.
You can create a strict SPF policy, and still allow end users to send authenticated mail from your domain using their home or travel ISP. Authenticated SMTP has had limited deployment until now, but SPF provides a compelling reason to adopt it. Many ISPs block outgoing port 25, but end users can still relay mail that passes a strict SPF policy using the MSA port 587 with authenticated SMTP (SMTP AUTH). RFC 5068 recommends this as a "Best Current Practice".
Multi-domain SMTP server considerations.
If the server is used by multiple domains not under common administrative management, then SMTP Auth user IDs must be tied to specific e-mail addresses in order to limit the risk of cross user forgery.