A confusing failure: your checker says SPF passes, but DMARC still fails. The culprit is almost always alignment, not the SPF record itself.
Softfail vs the real problem
~all (softfail) just tells receivers to accept-but-mark unlisted senders. It’s a fine,
common setting — it is usually not why your mail fails DMARC.
DMARC requires that the domain SPF authenticates (the hidden Return-Path / envelope-from)
aligns with the visible From: domain. If you send from you@yourbrand.com but your ESP
uses a Return-Path like bounces@esp-domain.net, SPF passes for the ESP domain — but it
doesn’t align with yourbrand.com, so DMARC fails.
The fix: a custom Return-Path (custom MAIL FROM)
- In your ESP, enable a custom Return-Path / custom MAIL FROM on a subdomain of your
own domain, e.g.
mail.yourbrand.comorbounces.yourbrand.com. - Add the CNAME/MX records the ESP gives you for that subdomain.
- Now SPF authenticates
mail.yourbrand.com, which relaxed-aligns withyourbrand.com— DMARC passes.
DKIM alignment works similarly: sign with a d= domain that matches your From domain.
Check it
Send yourself a message and run the headers through the
header analyzer — look at the Authentication-Results line for
spf=pass and that the domain matches your From. Then re-run the full
domain check. If you’re still stuck, the issue is alignment, not your ~all.