SPF record does not preventing the sender spoofing


I am bug hunter & still new in bug bounty programs. I’ve reached to this topic which I can’t go further before understanding this one .

I used one of the most SPF record finder online , the result of this test was they already have a SPF record

BUT

I still can send an email as their domain exactly!

so , does really SPF record prevent email spoofing attack? If it does, why I still can send an email as their domain exactly ?, if it doesn’t, how can we really prevent the email spoofing attacks

also maybe I’ve some misunderstanding between SPF misconfiguration & missing of SPF record do they mean same ?! what is the situation as written above is it a misconfiguration or missing SPF record ?!

regards