Spam email "via" my domain, but SPF record exists

Having an SPF record in your DNS records helps the recipient know which email server is legtimiate for your domain. The recipient looks up the sending domain for the valid server IPs and then decides what to do with the email.

  1. If the sending IP is on the list, then the email is likely OK.

  2. If the sending IP is not on the list, then it should be treated suspiciously.

This checking logic requires that the receiving email server is configured to check for SPF records. If you are not checking for SPF records, then the entire SPF checking process is not done.

If your email headers do not include the SPF fields, then your email server is not set up to check for SPF and it is not protecting your company in this way.

You need to look up your email service documentation to figure out how to turn on SPF checking.

Just having a SPF record does not mean that nobody is able to use your email address as the claimed recipient for spoofed messages.

First, SPF only cares about the SMTP envelope and not about the From field in the mail header. It is no problem to send a mail where both are different. There are no information in your question of what the SMTP envelope was (usually shown as Return-Path field in the mail header) but it is actually common that both are different when spoofing mails. To care about the From you would additionally need to setup DMARC.

And even if both SPF and DMARC are setup the recipient of the mail would actually need to check this. While many check SPF most don't check DMARC.

For more information see also Why set up DMARC for SPF if it's already set up for DKIM?.

Actually the SPF record only tells which server(s) legitimate mails using your domain may come from - and we're talking envelope information (SMTP/RFC2821) here, not the From line inside the mails (RFC2822).

Inside your mail program you'll normally only see the mail content (RFC2822), so a mail using your domain in the From line may actually have been sent using a different envelope sender and you'll only be able to see that if you look at the headers where a line like 'X-Apparently-From' would reveal the sender used to deliver the mail.

Also, if one of the servers specified in your SPF is compromised, mails using your domain can be sent through it quite legitimately.