Here are two records from reports, with the actual domain name of my client replaced with "example.com". In the first one, SPF is marked "fail" above under "policy_evaluated" and then "pass" below under auth_results. I find this confusing. This is email sent by a service the client pays for, so we do want these emails delivered if they are indeed legitimately coming from that service. Do I need to do more to have SPF set up for that service?
The second shows all failures (and the IP traces back to China, I believe, where we do not operate) so this should not be delivered. Why does Google mark this as "softfail" and not just "fail"?
<record>
<row>
<source_ip>204.28.11.160</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>example.com</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>example.com</domain>
<selector>sl1</selector>
<result>pass</result>
</dkim>
<spf>
<domain>bounces.salsalabs.org</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
<record>
<row>
<source_ip>60.23.112.175</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>example.com</header_from>
</identifiers>
<auth_results>
<spf>
<domain>example.com</domain>
<result>softfail</result>
</spf>
</auth_results>
</record>