Sender -> Forward Server -> Reciepient

Exchange 2010 uses a Resent-From header that is added to the message while it is being forwarded externally by the forward server ( this address is the email account used to forward the email )  so emails to the Reciepient server, are checked for SPF check using the Resent-From address and IPs. Which Pass!

With 2016 or Office 365 this Resent-From header is not there and the external contact server does the SPF check using the original sender’s domain and forward server IP address and it hard fails spf.

Workaround: Message Header ReWrite

Use Mimecast to Rewrite the Envelop from Address to the Resent-From Address instead

Configuring Address Alteration Definitions and Policies (mimecast.com)

SRS Should be doing this as well

Sender Rewriting Scheme (SRS) in Office 365 – Office 365 | Microsoft Docs