Summary: if you have a hosted email address associated with your Facebook account (probably every email address without DKIM key signing mechanism, except GMail, Hotmail, MSN and a few others big mail providers) you are vulnerable and everyone can post as you in Facebook groups which have an associated @groups.facebook.com email address.
Facebook allows users to post to Groups using email.
An attacker knows the Group's email address and can harvest addresses of the target (associated to his/her account) in the Info page of FB profile. (S)He can then test those email address against this simple rule:
Sending a fake-mail with spoofed sender (From field) and Return-Path to the @groups.facebook.com email address will be enough. Facebook will publish a post in the group you choose (if the victim has rights to post there, obviously) using the victim's account.
Somehow, the Facebook Postmaster ignores SPF Fail and SoftFail results.
I am not completely sure of why this happens. Perhaps dropping unauthenticated mails would block too many legitimate attempts to post to Groups, but Facebook should really drop mails with incoming SPF Fail and SoftFail result.
Facebook requires either SPF records or DKIM signatures to authenticate mail from your domain. Unauthenticated mail may be rejected or delivered at a slower rate than authenticated mail. Recipients may see warnings that the source of the message could not be verified when reading unauthenticated messages. Mail sent to Facebook applications, such a Groups or Photos, are more likely to be refused if they are not authenticated.
Even if you are unable to publish an SPF record with 'Fail' or 'SoftFail' mechanisms, are unable to publish your entire infrastructure with a 'Pass' mechanism, or are unable to implement DKIM signing on your entire outbound mail system, Facebook encourages administrators to configure domain authentication for as much of their system as possible. This will begin establishing a reputation for your domain and minimize the number of delivery issues encountered.
However, we have tested with an ad-hoc server with only one allowed IP for the MX and -all SPFv1 record. It correctly returns Fail (hard fail) if spoofed, but Facebook accepts the spoofed email and creates a post on the target group as the victim.