as I had a shell-script-driven approach to greylisting, battle address
harvesters a.s.o. I also included SPF there and do not use the
experimental built-in. But I think I can give you both at least a hint
on your localhost Q and observation
> and clearly does not include localhost. So passing messags from
> localhost might be a feature of SPF in general or of the implementation
> in Exim.
I wouldn't think localhost is handled special by SPF, but usually (in
standard- and example configs) you have a very early rule ACCEPTing
existing local users, before it does any "expensive" (netwise: DNS
lookup etc.) actions. In this case your SPF is not even tested, which is
the aim of this rule. You wouldn't want to greylist internal addresses
either, would you?