SPF does not protect the From address from being spoofed. This is the address that end users see in their mail clients, also called the (header-from, friendly from and RFC5322).

SPF is a path-based authentication protocol that authenticates the MAIL FROM (also called Envelope-From, Return-Path, bounce address and RFC5321) which is not visible to the end user unless they look at the metadata of the message. SPF tells receiving MTAs if the sending IP address is allowed to send on behalf of the domain found in the MAIL FROM address. This does not authenticate the From address, so anyone can create a domain and SPF record that authenticates it and still put whatever they want as the From address in an email.

In order to protect the From address you will have to implement DMARC as it requires that the domain found in the MAIL FROM align with the From address.

Did this answer your question?