Return-Pathheader to receive a reply to the e-mail. With correct MX records, this problem is bypassed.
Fromheader to include any e-mail addresses, SPF filters are usually checking
Return-Pathheader and allowed mail-sending hosts for the domain. SPF stores configuration in DNS TXT records. With subdomain takeover, TXT records are in control of attacker too - SPF checks can be passed easily.