How/Why does Google Pass (not fail) SPF when the sending domain/IP are not in my SPF record

Question

I have looked through other answers here but they all talk about the negative (not passing) I have a situation where I would expect it to fail on Gmail but it does not.

I am using an e-commerce platform "Sharetribe" they use "sendgrid" (Twilio) to send customer communications. I have set up 3 DNS records for sendgrid, all are CNAMEs, 2 look to be DKIM keys and another one similar.

12345678.u1234.sendgrid.net
flx.domainkey.12345678.u1234.sendgrid.net
flx2.domainkey.12345678.u1234.sendgrid.net

But no SPF record has been setup for this 3rd party platform yet, as they do not offer it, which is why I started to question the spf? Maybe the standards and protocols have changed???

for example this is my SPF record:

"v=spf1 include:our.email.service ~all"

...it does not include Saretribe or sendgrid.

so why would google pass the SPF?

This is a similar example to what is in my customer's received Gmail email HEADER:

ARC-Authentication-Results: i=1; mx.google.com;
   dkim=pass [email protected] header.s=flx header.b="dca/fgbb";
   dkim=pass [email protected] header.s=smtpapi header.b=dfgdfg;
   spf=pass (google.com: domain of bounces+34564567-456- [email protected] designates 168.245.24.68 as permitted sender) smtp.mailfrom="[email protected]"
Return-Path: <[email protected]>
[![enter image description here][1]][1]Received: from o1.flex-mail.sharetribe.com (o1.flex-mail.sharetribe.com. [168.245.24.68])
    by mx.google.com with ESMTPS id bx41-sdgfhbsrgberthberhbreybtyrbtyjbtyjbtyjb.111.2023.10.31.15.06.27
    for <[email protected]>
    (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
    Tue, 31 Oct 2023 15:06:28 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 168.245.24.68 as permitted sender) client-ip=168.245.24.68;
Authentication-Results: mx.google.com;
   dkim=pass [email protected] header.s=flx header.b="dca/fgbb";
   dkim=pass [email protected] header.s=smtpapi header.b=dfgdfg;
   spf=pass (google.com: domain of [email protected] designates 168.245.24.68 as permitted sender) smtp.mailfrom="[email protected]"

Answer 1

Just got a response from Sharetribe...

The CNAME record named em404.our.domain with a value of 12345678.u1234.sendgrid.net

points to another SPF record setup at 12345678.u1234.sendgrid.net

and our spf record at our.domain is not needed for emails sent from sendgrid and spf should work perfectly everywhere.

So the above picture should have had a green tick when using em404 sub domain.