Just wondering - Your SPF setting is set to reject only when you get a hard failure which is -a iirc ? I know ours is just a ~ atm for some migration / dmarc work.... when combined with the default policy of reject only on fail and not a softfail - No local rules set I see in your SPF...