Google has turned SPF validation on.
Here's an example how this breaks forwarding:
Let's say I create an e-mail address (let's call it family@mydomain) that is forwarded to multiple people, and one of them has a gmail account, all mail sent from domains with a hard fail policy to this address will bounce.
The three people with an icloud address will get it (because icloud doesn't do SPF checks yet), but the fourth and fifth recipient with a gmail address will not get it, and the sender will receive two bounces.
If you run your own domain, and want to use multiple virtual aliases for it, but forward everything to a domain that does SPF checks, all mail from sender domains with a hard fail policy will bounce.
So yes, for mail delivery to fail, both the final receiver domain needs to do SPF validation, and the sender domain needs to have a hard fail policy, but there are enough of those to make mail forwarding useless.
Apparently there is a solution to this, at least if the forwarding server is running postfix, and that is to install postsrsd, but I haven't had time to implement and test that yet.
The hotfix was just to not allow any virtual addresses that forward to domains (like gmail) that do SPF checks. But that's also bad because I have no control over when a new target domain starts to implement them. Bottom line: SPF is making my life worse, not better. Apparently one of its main purposes is to help with backscatter from spam, but there are other ways to deal with that that don't require breaking forwarding.