SPF actually authenticates the domain used in the bounce address a.k.a. Return-Path. It doesn't authenticate the domain in the FROM header which is typically shown to recipients by their email client software as the author of the email.

Similarly, DKIM (Domainkeys identified mail) signatures authenticate the domain listed in the d= tag in the signature, not necessarily the same as the domain used in the FROM header.

You'll need DMARC (Domain-based Message Authentication, Reporting, and Conformance) to enforce alignment between the authenticated domain and the domain used in the FROM field.

All three Internet standards are designed to authenticate emails sent from authorised sources, in order to protect a domain from being spoofed.

If you need to protect individual senders from being spoofed, you may have a look at digital IDs for signing and optionally encrypting email messages from the email client of a specific user.

Please consider that email messages that are sent from other legitimate sources may not be signed with a / the same certificate, e.g. a personal christmas wish from the CEO sent by the HR / communications department from a dedicated tool such as Selligent or Salesforce or other tool. You may want to use this in your awareness training material.