I noticed that clients usually have a lot of IP addresses and domains included in their SPF record and its sometimes hard to see what exactly is included in there. So I created a small tool that iterates over the SPF record of a specific domain to get a list of IP addresses that are allowed to send mails for that the domain. Once this list is generated the tool will perform a Shodan lookup to identify any open ports and test if the server has open relay enabled.
You can find it on Github: https://github.com/VinnieV/spfenum
Open relay found
If you find an open relay server (which really shouldn't happen) then you are lucky and will be able to spoof mail addresses from the targeted domain.
Third party domains
Sometimes the client includes third party domains in their SPF record in order to let them send mails on their behalf. This is usually used for marketing purposes to easily mass mail clients. However some of these third party services could have less security controls and used to send spoofed mails. For example if you can choose the sending mail address in the third part service and the service is not verifying if the sending email address is actually owned by the user who performing the action then it is possible to send spoofed emails from the target. However most mass mailing third party services ask for a verification via DNS txt records or mail verification.
Some other services running on the same machine could contain vulnerabilities which could potentially be leveraged to send mail from the machine in order to spoof mails from the target. The tool also gather information from shodan and perhaps with some more in-depth nmap scans and custom enumeration, vulnerabilities could be found on the third party server to send spoofed mails.