Recommended SPF configuration does not play nicely with mailing lists and the current "receiver architecture"

I've configured 3 simple-nixos-mailservers with the default settings recommended on https://nixos-mailserver.readthedocs.io/en/latest/setup-guide.html:

1. sender.example.org: A mailserver I'm sending emails from. It has the recommended SPF record with a -all rule.
2. lists.example.org: A mailserver that hosts a mailing list: cool-people@lists.example.org, with one member: me@receiver.example.org.
3. receiver.example.org: I expect to see emails show up here.

If I send an email from me@sender.example.org to cool-people@lists.example.org, it'll get forwarded to me@receiver.example.org, but the receiving mailserver will immediately bounce the email due to it failing SPF (because the IP address of lists.example.org isn't allowed by sender.example.org's SPF record).

I know of 2 3 ways to fix this:

1. On receiver.example.org: rework simple-nixos-mailserver's "receiver architecture" to only bounce emails if they fail DMARC, not SPF. I've asked for this feature in: #301 (closed).
2. On sender.example.org: Change the SPF record to use ~all rather than -all. That's what wiki.nixos.org currently does: https://github.com/NixOS/infra/blob/8edb8de2ce9259224cc17a95094b913ad27069e0/terraform/dns.tf#L315-L318.
3. On lists.example.org: Implement Sender Rewriting Scheme (SRS). SRS is a mechanism to rewrite the envelope of mails a MTA forwards so that they don't fail SPF. You can implement this with postfix using postsrsd, see https://github.com/jfly/snow/commit/ec179dccb83291022ba0aba906b931d2de691792.