I'll admit that maybe this isn't too enthralling to the average reader, but for people familiar with SPF records for mailserver, I just learned about something super-powerful I had never heard of before:
These are apparently actually defined in the original spec!
I won't try to repeat the eloquent explanation there, but, tl;dr, you can do things like v=spf1 exists:%{i}._spf.example.com -all and %{i} will be filled in by the remote mailserver with the originating IP. You can dynamically create entries for what IPs are permitted. (It occurs to me that, with good monitoring, you could also use this to see what IPs are sending mail claiming to be from your domain.)
You have other macros available, like %{s} for the sender address, or %{l} for the "local part" (left-side) of the sending address. As pointed out in the linked post, this allows fine-grained control for, say, permitting an external service to send mail from certain addresses only.