SPF hard fail not working in Google Apps?

My spf record has been set for the last 24 hours as follows
v=spf1 mx a:mailhost.zen.co.uk -all
I'm using google apps so my MX records all point to Google and I occasionally have to send via my ISP Zen. Sending and receiving works but when I test sending a spoof email (pretending to be from my domain) from a non authorised IP address Gmail just flags the message as follows.

Received-SPF: softfail (google.com: domain of transitioning testmessage@mydomain.co.uk does not designate xxx.xxx.142.162 as permitted sender) client-ip=xxx.xxx.142.162;

Why is Gmail only treating this as a soft fail and not a hard as -all indicates?

Hah it gets worse!

Now gmail sees my spoof test from an unauthorised ip address as a hard fail but still delivers the message to me. Surely hard fail means reject or at least put in spam bin.

Received-SPF: fail (google.com: domain of test@mydomain.co.uk does not designate xxx.xxx.xxx.xxx as permitted sender)