Sounds like a good partial solution to me. If SPF traces it back to a mail server that doesn't allow spoofed email, it could skip the confirmation step. GMail lets people change the from field, but only to an email address they can show they have access to, by clicking a confirmation link.