I have recently seen a large number of cases where an organization’s own domain was spoofed to send that company phishing messages. This isn’t all that uncommon, but what was concerning for me was the method used in these cases to do the spoofing. In these cases, only the 5322.From header was spoofed, which cannot be detected by an SPF check.
I've recently seen an increase in cases that involve incorrectly published SPF records that have resulted in sent mail failing the SPF check. Ensuring your SPF record is up to date is great proactive work that can help prevent issues with SPF checks. In this article I'm going to go over how to properly set your SPF record if you are using Exchange Online or Exchange Online Protection.
There is also a common mistake that organizations sometimes make in their SPF record when they are smart hosting mail out through EOP which I will also highlight.