TL;DR: A DMARC policy of none does not mean that the mail should be accepted. It only means that it should not be rejected/quarantined based on a failed DMARC check. It can still be rejected based on SPF Fail.
DMARC is used to tell receivers of e-mail what to do if SPF or DKIM fails in mails send from your domain.
DMARC does not define what happens if SPF or DKIM fail. It does not care about failed checks at all. It only cares about the successful and identifier aligned checks (i.e. domain from check must match From
in mail header). DMARC passes if at least one of the identifier aligned DKIM signatures or SPF checks passes and fails otherwise. DMARC can define that the mail should be rejected or quarantined based if the DMARC check fails.
A DMARC policy of "none" does not mean that the mail should be kept - it only says that no decision will be done based on the DMARC status. From RFC 7489 section 6.3:
none: The Domain Owner requests no specific action be taken
regarding delivery of messages.
And the example in section B.2.1 says more clearly that p=none
should not be treated as a "pass" but as "don't change existing behavior":
Receivers should not alter how they treat these messages because
of this DMARC policy record ("p=none")
Thus p=none does not mean to accept the mail but that one should not reject/quarantine the mail and instead can rely on other policies. And SPF defines its own policy. A Fail means that the mail was not sent from a source IP which is allowed for sending. From RFC 4408 section 2.5.4:
2.5.4. Fail
A "Fail" result is an explicit statement that the client is not
authorized to use the domain in the given identity. The checking
software can choose to mark the mail based on this or to reject the
mail outright.
Apart from that MTA are neither required to implement SPF nor DMARC and they can implement SPF without implementing DMARC and thus reject a mail solely based on an SPF Fail.