When an email is sent, it includes two main addresses: the "From" address, which is the address that the recipient sees, and the "Return-Path" address, which is the address that bounces are sent to. The SPF record for a domain specifies which IP addresses are allowed to send an email on behalf of that domain. However, the SPF record only applies to the "Return-Path" address, not the visible "From" address. This means that if the "Return-Path" does not match the "From" address, the SPF check will fail. This is a well-known case if you're using ESPs such as Mailchimp, Active Campaign, and others that keep their own Return-Path address to handle your bounces.