HackerOne: SPF whitelist of mandrill leads to email forgery

I just sent a forged email to [email protected] that appears to originate from [email protected]. I was able to do this because of the following SPF record: dig txt hackerone.com hackerone.com. 299 IN TXT "v=spf1 include:spf.google.com include:sendgrid.net include:mail.zendesk.com...