When you add an SPF record to your domain’s DNS and still messages can be sent with non-user email adresses (spoofed), this is probably the reason:
- SPF is not fully propagated
- Your on-premise exchange does not have any anti-spam agents installed.
You can check this with this Powershell command:
Get-TransportAgent
When the anti-spam agents are not installed, install them with this PS command:
& $env:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1
After these are installed, you should restart the Microsoft Exchange Transport Service:
Restart-Service MSExchangeTransport
Source + more information:
http://markgossa.blogspot.be/2016/01/block-spoofed-email-exchange-2010-2013-2016-part1.html