Email protected with SPF but received valid signature from other IP anyway

As defined in RFC 7208, 1.1.3, SPF is not tested against the RFC 5322 From header, but against the envelope sender i.e. the address in RFC 5321 MAIL FROM command.

from=<[email protected]>

Therefore, rec15.appleandroidemail.mx is the domain of the envelope sender, and this hostname doesn't have an SPF record.

You'd need an additional DMARC policy to enforce alignment between the MAIL FROM and the envelope sender.