"Sender Policy Framework (SPF)" is enabled as a Sender Authentication policy, but some spoofed domains do not trigger the action configured for SPF Authentication. Domains that exhibit this issue are using the include mechanism in their SPF records.
This issue has been addressed in the 9.5.0 release of the Symantec Messaging Gateway (formerly Symantec Brightmail Gateway)
If the SPF record for a domain uses the include mechanism and the SPF record for the included domain has a last directive that is different from the last directive in the main SPF record, then the sender authentication module incorrectly treats the directive in the included domain as the overall directive. For example: