Yes, there are a few limitations to SPF which are:
1. SPF only applies to the domain in the email's 5321.MailFrom or Return-Path address domain field, and not to the visible From: address that everyone sees first in their Mailbox User Agents (MUA). This means that an attacker could still send a spoofed email from a server that is authorized for the domain in 5321.MailFrom or Return-Path address (name@hacker.com) while changing the visible From: address to match the actual organization (name@company.com).
2. Forwarding Issues: When an email is forwarded, the return path address changes leading to SPF failure.
3. 10 DNS lookup limitation: SPF has a 10 DNS lookup limitation which can limit the complexity and flexibility of the SPF Record. However, we do have a solution for this which we provide the EasySPF solution. It’s a dynamic platform that flattens the includes into IP addresses so that you’ll avoid exceeding the 10 DNS lookup limitation and in addition to that, going forward, you can also manage your SPF record directly from the platform rather than the DNS zone.
Recognizing these limitations aids in more effectively managing and configuring SPF records to maintain optimal email delivery and security.