Email spoofers are trying to up their game. By spending efforts to set up a domain for header_from SPF spoofing.
The technique involves configuring a valid SPF record for the envelope_from domain while using a spoofed domain in the header_from field, hoping that the email server does not perform thorough checks. So far domains like club-sphere-web.com, ar-realestate.com, chainyuu.com are observed for such activities.
To protect your domains, make sure to deploy strong DMARC policies (p=reject). SPF record alone is not designed to check SPF alignments between header_from and envelope_from.
Check your email: https://checkcybersecurity.service.ncsc.gov.uk/email-security-check/form
And possibly the best article to educate yourself on SPF, DKIM, DMARC – https://simonandrews.ca/articles/how-to-set-up-spf-dkim-dmarc (The only thing I disagree would be the use of -all instead of ~all, see Mailhardener’s reasoning on this – https://www.mailhardener.com/kb/spf#fail-vs-soft-fail)
<record>
<row>
<source_ip>156.242.10.176</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>reject</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
<reason>
<type/>
<comment/>
</reason>
</policy_evaluated>
</row>
<identifiers>
<envelope_to>ezweb.ne.jp</envelope_to>
<envelope_from>chainyuu.com</envelope_from>
<header_from>[domains they do not control]</header_from>
</identifiers>
<auth_results>
<dkim>
<domain/>
<selector/>
<result>none</result>
<human_result>no signature data</human_result>
</dkim>
<spf>
<domain>chainyuu.com</domain>
<scope>mfrom</scope>
<result>pass</result>
</spf>
</auth_results>
</record>