When using SPF setting "Authenticate only the following domains", both SPF and SenderID content rules will trigger on an existing SPF Authenication-results header in an email from a domain that is not supposed to be checked for SPF.
This is a known issue at the moment.
Please follow the workaround below to resolve temporarily.
1) In the Messaging Gateway web interface, go to Spam > Sender Authentication, and set an "Authentication Service Identifier" of your choice, but different from the default one, then save.
2) Go to Content > Policies > Email and edit the active policy for sender authentication. Change the current Content Filter rule on SPF validation, and add the following condition:
Ensure you specify the same authentication ID as in step 1.
3) Ensure to select ALL as the operator for conditions, as follows:
Subscribing will provide email updates when this Article is updated. Login is required.