Are there any limitations to SPF?

One limitation of SPF is that it only applies to the domain in the email's 5321.MailFrom or Return-Path address domain field, and not to the visible From: address that everyone sees first in their Mailbox User Agents (MUA). This means that an attacker could still potentially send a spoofed email from a server that is authorized for the domain in 5321.MailFrom or Return-Path address (name@hacker.com) while changing the visible From: address to match the actual organization (name@company.com). Another major SPF limitation is the 10 DNS Lookup limitation, which can limit the complexity and flexibility of the SPF Record.