How an SPF result is handled is up to the receiver. All of my SPF "Fail" test messages went to my Inbox, despite being flagged. I have not tested this with Mozilla Thunderbird, but that client is capable of filtering on custom headers.
You would need to examine the raw e-mail source to see how any given system handles an anti-forgery protocol.
I am basically uncertain why you thought this was a security issue. It is well known that e-mail is an inherently insecure messaging medium.
Cartel
does have a point. I redacted all of the user names (as, "*****@") in my examples. He points to a post you made 2 1/2 years ago, in which you exposed your e-mail address, as you did in the OP. As well, NetFixer
provides a weakness, which is not security, but privacy related.
If I wanted to set up a DSLR e-mail account for myself, and accepted the default user name, it would be extremely easy to guess: "NormanS@...".
I did expose a 15-year-old "@yahoo.com" email address to the public in Usenet articles shortly after setting up the account. The spammers "scrape", or "harvest" such publicly exposed e-mail addresses for their own ends. I even had a spammer forge my "@yahoo.com" e-mail address, resulting in a flood of DFNs which nearly rendered that account useless. If you enter your email address in an Internet search, you will find all the places where a spammer's search 'bot can find it; and when they find it, they
will "own" it, in the sense that they will add it to their database of, "confirmed opt-in e-mail addresses". To the spammer, if they send and don't get a bounce, that address has "consented to accept advertised offers."
If you consider that a breach of security, the breach is on your hands. I started running my own e-mail service when I realized that was the only way to truly "own" my e-mail address. My current NNTP-Posting (Usenet) email address is: <nospam@blackhole.aosake.net>. It will fail if you try to send an e-mail. It is not a, "munge". I control DNS for the domain, and have set no "A", or "MX" record for 'blackhole.aosake.net'.
C:\util\dig>nslookup blackhole.aosake.net
Server: 1000-0000-0000-0000-09d7-04ed-a420-2062.6rd.ip6.sonic.net
Address: 2602:24a:de40:7d90::1
*** 1000-0000-0000-0000-09d7-04ed-a420-2062.6rd.ip6.sonic.net can't find
blackhole.aosake.net: Non-existent domain