Sender -> Forward Server -> Reciepient
Exchange 2010 uses a Resent-From header that is added to the message while it is being forwarded externally by the forward server ( this address is the email account used to forward the email ) so emails to the Reciepient server, are checked for SPF check using the Resent-From address and IPs. Which Pass!
With 2016 or Office 365 this Resent-From header is not there and the external contact server does the SPF check using the original sender’s domain and forward server IP address and it hard fails spf.
Workaround: Message Header ReWrite
Use Mimecast to Rewrite the Envelop from Address to the Resent-From Address instead
SRS Should be doing this as well
Trackback from your site.