If spoofed messages are getting through after enabling the SPF event, check the following:
1) Make sure SPF is actually enabled. Under scanner/policy management | scanner name | scanning config. | antispam | SPF make sure "Enable SPF event" is checked. Also, make sure "enable connection drop" or "enable message header scan" is checked. Note: If you have "Enable message header scan" checked make sure "block the message" is checked as well.
2) Make sure an SPF record is set for your domain on your DNS.
Here is another TID about SPF: https://support.microfocus.com/kb/doc.php?id=7019848