[aj3]

Your configuration provides no protection from email spoofing though.

[andrewmcwatters]

In practice, that's not true. Major email providers will not respond any differently to ~all versus -all, despite what the RFCs state you should do.

[aj3]

That’s not what I meant. SPF checks Envelope Sender domain which does not have to be the same as the address seen in From header.

Your configuration is trivially spoofable by setting Envelope Sender to something attacker controls (and thus it will pass SPF), while still placing your domain in the From header.