Well, interesting! Thanks for the report.
The existing SPF record simply had MX and A records as allowed to send. I'm guessing when @TE setup the new server he chose to use the old servers mail so he did not have to enjoy the fun associated with a new IP address and mail reputation. I just went through this and it took weeks to get a the new IP address clear even though it was all SPF/DMARC/DKIM/RDNS/Virus scan valid mail.
So I've added s2.eurich.de as a designated sender (in addition to the current mx / a which point at s3.) I could probably just point the mx record to s2.eurich.de ip address, but this should work fine.
v=spf1 a mx a:s2.eurich.de ~all
I just gave it a quick test and it seems to give an spf:pass result now