Why is forged email being delivered to major email providers such as Gmail.com and Outlook.com even though email is marked with an SPF hardfail?
SPF is so poorly configured by so many sites that receiving MTAs often count hardfail as advisory only and merely factor it into their spam detection scores. In the end it's up to the MTA's administrator as to how SPF failures will be treated.
A hard fail doesn't mean that the email will automatically be rejected. It's dependent upon how the receiving server is configured to handle SPF fails.
SPF error conditions do not indicate anything about the desired policy. As such they provide no guidance as to whether or not to accept the message. It is possible that the intended policy is +all. It is normal to accept mail in this case.