A couple of blatant spams today got through BMG, about four hours apart, source is the same IP.
Checked reputation in the BMG UI, that IP is not on any bad reputation lists. (78.129.221.169 - seems to be owned by Rapidswitch Ltd in the UK)
OK, that's not the biggest news in the world, but the spammer forged a Gmail address in the MAIL FROM, and clearly this was not delivered from a Google IP address, so given that Google has working SPF records, why didn't BMG block these messages?
(Aside: I note that the message used TLS. Ever since I enabled TLS on this box, I've noticed that some spammers seem to prefer it, perhaps because it obscures the message content to some systems? They never seem to provide a certificate, but I can't see a way to enforce that.)