Example (may not be worded exactly, varies with each mail host):
This particular error is returned from a large hosted mail domain:
550 5.1.1 <Your IP Address> is not allowed to send from <Your domain> per its SPF Record. Please inspect your SPF settings, and try again.
There is no IP record in the SPF for the sender's domain that matches the external IP related to the SMG.
Update the SPF record for the sender's domain to include the IP address associated with the SMG.
If the SPF record is configured for "soft fail" (~all), the SMG will still accept mail even if it fails. This setting is recommended for senders performing network changes or changing external IP addresses.
SPF documentation is available at the ITEF website. Symantec Support is not able to provide configurations for our customers, but various sites provide SPF tools to assist in proper configuration.