Based on my current understanding, SPF is only concerned about validating that the sending email server IP is listed in the SPF records for the domain of the "envelope from" (Return-Path/MAIL FROM). Since spoofing is done usually on the "From" address shown to the receiver, the "envelope from" address will be from the domain of the malicious actor, and a DNS lookup for the SPF record will include the IP address of the server used to send the spoofed email, and SPF will pass. Am I wrong and if not, what is the point of SPF on its own? Why would a malicious actor even want to spoof the "envelope from"?
Why wasn't SPF designed to use the "From" address instead? Wouldn't that have ensured that who pretends to be [email protected] (as address visible to the end receiver) is actually [email protected]? Then the receiver would see [email protected] and they would know that it is john, because the IP of the sending server is listed in as an IP of gmail.com, so then it must come from gmail.com and can't have been spoofed.
Wouldn't that have made DKIM less necessary? Was this not accepted because of relays, forwarding, encryption or other things that might have interfered on the way of the email to its final destination?
Indeed SPF does not validate the From address within the message, and that's a design limitation of SPF, which only operates at the SMTP level, and has nothing to say about message content. However, that's not a problem because we have DMARC, which validates DKIM and SPF results and the From address within the message.