The Symantec Messaging Gateway (current version 10.5.3) supports Sender Authentication Checks (SPF and SenderID).
RFC 7208 chapter 8 (Result Handling) suggests two ways of handling failed Sender Authentication:
-.-.-.-.-.-.-.-.-.-.-.-.-
There are essentially two classes of handling choices:
o Handling within the SMTP session that attempted to deliver the
message, such as by returning a permanent SMTP error (rejection)
or temporary SMTP error ("try again later");
o Permitting the message to pass (a successful SMTP reply code) and
adding an additional header field that indicates the result
returned by check_host() and other salient details; this is
discussed in more detail in Section 9.
-.-.-.-.-.-.-.-.-.-.-.-.-
Symantec support has answered a support ticket asking for a "reject" action for failed Sender Authentication:
The class chosen by Symantec is the second. For this reason there is no possibility to reject the messages as SPF action.
I suggest to implement a "reject" action within the SMTP session (eg. 5xx "SPF check failed") for failed Sender Authentication and let the customer decide which action to activate.
The default setting could still be to permit the message to pass.