The void lookup limit was introduced in RFC 7208 and refers to DNS lookups which either return an empty response (NOERROR with no answers) or an NXDOMAIN response. This is a separate count from the 10 DNS lookup overall count.
As described at the end of Section 11.1, there may be cases where it is useful to limit the number of “terms” for which DNS queries return either a positive answer (RCODE 0) with an answer count of 0, or a “Name Error” (RCODE 3) answer. These are sometimes collectively referred to as “void lookups”. SPF implementations SHOULD limit “void lookups” to two. An implementation MAY choose to make such a limit configurable. In this case, a default of two is RECOMMENDED. Exceeding the limit produces a “permerror” result.
This is meant to help prevent erroneous or malicious SPF records from contributing to a DNS-based denial of service attack.
In your case, the problematic part seems to be:
include:spf.messaging.microsoft.com
Its SPF record is:
v=spf1 ptr:protection.outlook.com ptr:messaging.microsoft.com ptr:o365filtering.com -all
All three of those records, if looked up, return either NOERROR with no records or NXDOMAIN.
Since three records didn’t return anything, you exceeded the void lookup limit of 2, and the SPF record fails.