If it were that easy to defeat SPF-based spam filters and successfully spoof Facebook, it would be a pretty useless system.
The way SPF works, in a nutshell, is that the controller of a domain adds a record to their DNS zone, listing the servers which they wish to allow as legitimate senders for that domain. On receiving an e-mail, any destination server can look up this record, and compare the IP address the mail is coming from against the rules in this record.
Without being able to control Facebook's DNS zone, you can't allow yourself to send mails from there.
The only way around it is to use some of the classic phishing techniques, like registering a domain sufficiently similar to facebook.com to trick users into thinking the mail is legitimate. Because you control the phishing domain, you can authorise yourself to send mails using SPF, DKIM, etc from that domain.
Incidentally, the SPF record for facebook.com
(after following a redirect) is "v=spf1 ip4:69.63.179.25 ip4:69.63.178.128/25 ip4:69.63.184.0/25 ip4:66.220.144.128/25 ip4:66.220.155.0/24 ip4:69.171.232.0/25 ip4:66.220.157.0/25 ip4:69.171.244.0/24 mx -all"
. The -all
at the end means "Deny all IPs which do not match any previous rule" (sometimes known as "hardfail", as opposed to a ~all
"softfail" which can be used if you're not sure your rules are completely inclusive), as shown by this handy checker/decoder tool.