@boneidol no, sorry, but you miss my point. SPF only validates the *sender* address (that's what's on the *envelope*) by looking if the sending mail server is authorized to send mail for the domain the sender address belongs to. This check is done before the mail content is processed. A spammer could easily set up a domain and a sending server authorized to send mail from that domain. But the sender address on the envelope is entirely distinct from the 'From:' header which lives inside the envelope, and where the spammer can spoof a bank's email address (there are absolutely no rules for what's in the From header, except syntax). Most people will only see that 'From' address and thus not not notice if there's a difference. Thus, SPF won't help against phishing.