To be more accurate: SPF records only validate the envelope-sender, which is the hidden MAIL FROM part of the SMTP exchange. This may be added as a Return-Path: header (but doesn't have to be). The visible "From:" header is completely separate. You can send E-mail with header "From: security@redacted.com" with either an empty envelope sender, or any domain that doesn't publish an SPF record, and it will pass SPF. If you want the headers to be validated then you're looking at DKIM sign them, and DMARC to ask the receiver to reject mails with missing or invalid signatures.