Found a problem with our emails being forwarded via another MTA to Google,
which threw the error:
550-5.7.26 This message fails to pass SPF checks for an
SPF record with a hard 550-5.7.26 fail policy (-all).
It appears that removing the "-all" from our SPF prevents the error, but I
am at a loss as to why Google would think a LESS secure SPF is a good
thing?
TIA!