Since I am using SPF as a validation method, the non-srs messages from those big providers will have possibility to break SPF and be rejected by our systems.
Do you reject based on solely the SPF result? It would be better to use DMARC, have SPF only create the auth header and not reject, then let DMARC evaluate and decide to reject or not. DMARC will look for any DKIM signatures and if a signature is valid DMARC will accept the email even when SPF fails due to forwarding.
