This is using MS Exchange server 2013 and Office 365 in hybrid. One of the user got the bounced mail with error messages as follows,
SPF validation error
How to fix it
Your organization's email domain will have to diagnose and fix your domain's email settings. Please forward this message to your email admin.
More info for Email admins
status code: 550 5.7.23
This error occurs when Sender Policy Framework (SPF) validation for the sender's domain fails. If you're the sender's email admin, make sure the spf records for your domain at your domain registrar are setup correctly. Office 365 supports only one SPF record (a TXT record that defines SPF) for your domain. Include the following domain name: spf.protection.outlook.com. If you have a hybrid configuration (some mailboxes in the cloud, and some mailboxes on premises) or if you're an Exchange online protection standalone customer, and the outbound ip address of your on-premises servers to the TXT record.
We already created the spf records as follows,
"v=spf1 include:spf.protection.outlook.com ip4:xx.xx.xx.xxx -all"
The ip4 address is the on-prem exchange server's public ip address. Don't know why this fails the spf records? So far, only this recipient is reject the spf records.