That’s not what I meant. SPF checks Envelope Sender domain which does not have to be the same as the address seen in From header.
Your configuration is trivially spoofable by setting Envelope Sender to something attacker controls (and thus it will pass SPF), while still placing your domain in the From header.
Your configuration is trivially spoofable by setting Envelope Sender to something attacker controls (and thus it will pass SPF), while still placing your domain in the From header.