If you see a message sent from an Office365/Hotmail email domain flagged for SPF Fail, it is because Office365 -occasionally- sends from IP addresses that are not contained by their new SPF include: statement.
Existing SPF "TXT" record for spf.protection.outlook.com
"v=spf1 ip4:40.92.0.0/15 ip4:40.107.0.0/16 ip4:52.100.0.0/14 ip4:104.47.0.0/17 ip6:2a01:111:f400::/48 ip6:2a01:111:f403::/48 include:spfd.protection.outlook.com -all"
What we have see is the sending IP is in the 40.95.0.0/24 range.
Recommendation:
Add "40.92.0.0/14" to System Setup > Mail Authentication > SPF Bypassed IPs/Networks::
-- That will bypass SPF checks for that IP range.
-- That IP range that used to be in their SPF record, before it was changed.