The error message in Track and Trace:

SMTP Status: blocked by anti-spam - filtered by SPF.  Domain of example.com does not designate ##.##.##.## as permitted sender

Email Security.cloud

By design, when there is a customer-to-customer email, we assume the traffic is between our internal servers and the sender should has "include:spf.messagelabs.com" in his SPF record, per our deployment guide. During the SPF check in this scenario, the IP argument is our own server.

Sender has to keep include:spf.messagelabs.com in the SPF record in DNS.

If the sender is moving away from Email Security.cloud, he needs to wait with updating SPF record, until the domain is fully removed from ESS.