Consider these first two headers from an incoming email that failed SPF:
Received: from o6.front-mail.frontapp.com (o6.front-mail.frontapp.com [126.96.36.199]) by mail.[redacted] with SMTP
Fri, 5 Feb 2021 15:15:45 -0600
Here's the header showing the SPF failure:
X-SmarterMail-Spam: Reverse DNS Lookup [Passed]: 0, Null Sender: 0, Message Sniffer [code:0]: 0, SPF [Fail]: 10, DK [None]: 0, DKIM [Pass]: 0, SpamHaus DBL [count:1]: 20
Here's the SPF record for front-mail.found.app:
v=spf1 include:sendgrid.net ~all
Here's the SPF record for sendgrid.net:
v=spf1 ip4:188.8.131.52/17 ip4:184.108.40.206/20 ip4:220.127.116.11/19 ip4:18.104.22.168/20 ip4:22.214.171.124/21 ip4:126.96.36.199/20 ip4:188.8.131.52/17 ip4:184.108.40.206/16 ~all
The sending IP of this email was 220.127.116.11, which is covered by ip4:18.104.22.168/17 from the sendgrid SPF record, so why did it fail SPF?
Is SmarterMail checking the FROM header as well, and wouldn't that be against the SPF spec?