Mail being rejected despite SPF record specifying envelope IP address

I have a mail server with a bridged DSL modem connection; the domain's SPF record looks like this:

"v=spf1 +mx +aa.bb.cc.dd -all"

where the aa.bb.cc.dd is the IP address for my end of the bridged DSL connection; this address is NOT in my domain; it is owned by my ISP. The IP for the mail server is in the MX record for the domain, but the PPPoE link for the DSL bridge changes the IP for my end of the link to aa.bb.cc.dd.

It was my understanding adding +aa.bb.cc.dd to the SPF record should allow mail going out with that address to be considered as coming from my domain, but I'm still getting reject messages:

550-5.7.26 The MAIL FROM domain [my-domain.com] has an SPF record with a hard
550-5.7.26 fail policy (-all) but it fails to pass SPF checks with the ip:
550-5.7.26 [aa.bb.cc.dd].

This was a recent update to my DNS records but I think it should have propagated by now. Any insights would be much appreciated.

If you want to add an IP address to your SPF record, you need to use the ip4 mechanism. See the bottom example in the RFC Appendix A.1

Also, when not specified the + modifier is assumed.

Your record could look something like this:

v=spf1 mx ip4:aa.bb.cc.dd -all