v=spf1 +mx -all
Which probably doesn’t really mean all that much to most people. So to break it down:
-> v=spf1 means “This is a version 1 SPF record”
-> +mx means “The server(s) defined in our MX record are allowed to send email on behalf of this domain”
-> -all means “Anything that does not match should be treated as a hard failure”
The last part is what’s getting you. Since we use “hard failure” on our SPF record, it basically means we are 100% confident that all legitimate emails from our domain will be defined by our SPF record, and everything that doesn’t match should be rejected.
A lot of sites use “~all”, or “soft failure” instead, meaning that if an email does not match the SPF record, it should still be accepted but marked as spam or otherwise flagged for additional scrutiny. The email address you used to send a test email probably uses a soft-fail SPF record instead of a hard-fail one like we do.
~all/soft-fail is more common than -all/hard-fail, as the latter can cause some delivery issues if you have a more complicated or regularly changing email infrastructure. Our infrastrcture is extremely simple and relatively static, so we use the hard-fail mode as it offers better security.