Mimecast emails fail with the error: (Undelivered): 550 Anti-Spoofing policy - Inbound not allowed ......... after Migration to Hyperforce

Salesforce recommends SPF/DKIM/DMARC to obtain the highest deliverability  
Organizations that use a Mimecast email front end (MX record) can leverage the functionality described by Mimecast here to address emails sent to their own domain from Salesforce that get filtered by Mimecast Anti Spoofing policies with errors similar to the above.
As a best practice organizations should also setup DKIM for Salesforce.  When setting up SPF and DKIM also be aware of alignment best practices mentioned here

Mimecast Anti-Spoofing SPF Based Bypass policy underscore limitation
NOTE: Salesforce recommends and supports the use of the SPF record mentioned previously in this article _spf.salesforce.com.  However, an SPF record spf.salesforce.com also exists. This record is not the officially recommended and supported for use in DNS.  As the Mimecast SPF policy mentioned doesn't allow the use of the underscore this entry can be used as workaround to this limitation in the Mimecast policy only.  For more information on this Policy contact Mimecast.