If you see a message sent from an Office365 email domain flagged for SPF Fail, it is because Office365 -occasionally- sends from IP addresses that are not contained by their new SPF include: statement.


Existing SPF "TXT" record for spf.protection.outlook.com


"v=spf1 ip4:40.92.0.0/15 ip4:40.107.0.0/16 ip4:52.100.0.0/14 ip4:104.47.0.0/17 ip6:2a01:111:f400::/48 ip6:2a01:111:f403::/48 include:spfd.protection.outlook.com -all"


What we have see is the sending IP is in the 40.95.0.0/24 range.


Recommendation:  

Add "40.92.0.0/14" to System Setup > Mail Authentication > SPF Whitelisted IPs/Networks: 

-- That will bypass SPF checks for that IP range.

-- That IP range that used to be in their SPF record, before it was changed.