The short answer is: not exactly, or at least, not in the way most people think. An SPF record validates that the mail server sending the email is authorized to do so for a specific domain, but it doesn't validate the 'From' address you see in your email client. This is a common and important misunderstanding.
To truly understand why, we need to look at how SPF works and the different 'sender' addresses an email has.
SPF stands for Sender Policy Framework. Its primary job is to prevent email spoofing by providing a way for domain owners to publish a list of all the servers they've authorized to send email on their behalf. Think of it as a public guest list for your domain's email.
When an email is sent, the receiving mail server performs a check that looks something like this:
If the sending server's IP is on the list, the email passes the SPF check. If it isn't, it fails. As DuoCircle puts it, this check matches the sender against the domain's defined policies.
Here's the crucial detail: SPF validation is performed on the 'MAIL FROM' address, not the 'From' header address. These can be two completely different domains.
Because SPF only checks the 'MAIL FROM' address, a bad actor could send an email that passes SPF using their own domain in the 'MAIL FROM', while putting a trusted domain (like your bank's) in the visible 'From' header to trick you. As noted by EmailLabs, SPF on its own doesn't validate the 'From' domain.
This is where DMARC (Domain-based Message Authentication, Reporting, and Conformance) comes in. DMARC builds on top of SPF and another protocol, DKIM, to close this loophole. DMARC introduces a concept called 'alignment'.
For an email to be DMARC compliant with SPF, not only must it pass the SPF check, but the domain used for the SPF check (the 'MAIL FROM' domain) must also match the domain in the visible 'From' header. This alignment is what finally connects the technical validation of the sending server to the domain the recipient actually sees.
So, does an SPF record validate the domain of the email sender? By itself, an SPF record validates that a mail server is authorized to send for the 'MAIL FROM' domain. It does not, however, validate the visible 'From' domain that you see in your inbox. For that level of validation and security, you must combine SPF with DMARC. SPF is an essential foundation, but DMARC is the policy that makes that foundation truly effective against phishing and spoofing.