SPF fails but DMARC passes.

You open a source (Postmark, SendGrid, Mailchimp, a Google Workspace relay) and SPF is a red fail, yet DMARC is a green pass. Nothing is broken. Here's what's actually happening, and the one right way to tidy it up.

Short answer: your mail is fine. ✓ DMARC only needs one of SPF or DKIM to line up with your domain. Your email provider is signing DKIM and it lines up, so DMARC passes and your mail is delivered, even on p=reject. The SPF fail is cosmetic.

Why SPF "fails" here

There's a difference between SPF passing and SPF aligning, and it's the whole story:

SPF checks the envelope sender: the hidden bounce address, not the From: your recipients see.
Email providers use their own bounce domain. Postmark sends with pm.mtasv.net, SendGrid with its own, and so on. SPF passes for that domain, but it isn't yours, so it can't align with your From: domain.
DKIM saves the day. Your provider signs each message with a key published on your domain, that signature aligns, and DMARC passes on DKIM alone. That's by design. It's exactly how DMARC is meant to work.

Don't "fix" it by editing your SPF record. Adding your provider's include: to your domain's SPF record is the classic wrong turn. It makes SPF pass but still not align (alignment is about the bounce domain matching your From:, not about SPF passing). You'd gain nothing and burn into SPF's hard limit of 10 DNS lookups.

The right fix (optional)

If you want SPF to align as well as DKIM, the correct lever is a custom Return-Path (a custom bounce domain) at your email provider. It hands you a small DNS record on a subdomain of your own domain; once it's in place, the envelope sender becomes yours and SPF aligns. Now both mechanisms pass, useful belt-and-suspenders if DKIM ever breaks (say, a forwarder rewrites the message in transit).

It's genuinely optional. DKIM alignment already carries DMARC, so reach for this on your highest-volume or most critical streams first, and don't lose sleep over the rest.

Worked example: Postmark

Postmark is a common one, so here's the whole loop end to end:

In Postmark, go to Sender Signatures → DNS Settings for your domain.
Find the Return-Path row. Postmark gives you a CNAME: host pm-bounces (so pm-bounces.yourdomain.com) pointing at pm.mtasv.net.
Add that CNAME at your DNS host. Postmark flips the Return-Path row to Verified once DNS propagates (usually minutes).
Give the mailbox providers a day to report on the new mail, then reopen the source here. SPF will flip to pass and align. DMARC stays green throughout.

Notice what's not on that screen: an SPF record to edit. Postmark spells it out: "We no longer require SPF DNS records since it's automatically handled for you." The Return-Path CNAME is the whole job; leave your domain's SPF record alone.

Postmark's Sender Signatures DNS Settings: a DKIM TXT record and a Return-Path CNAME (host pm-bounces, value pm.mtasv.net) both marked Verified, plus a note that SPF records are no longer required. — Postmark's DNS Settings: the Return-Path CNAME is the record that aligns SPF. Click to enlarge.

Other providers (SendGrid, Mailchimp, Mailgun, and friends) call it different names ("link branding," "domain authentication," "custom bounce domain") but it's the same idea: a record on your domain so the bounce address becomes yours.

Keep reading

DMARC, SPF & DKIM in plain English: what "alignment" really means, no jargon.
Investigating sources: read any sender's authentication story in the source drawer.
Glossary: envelope sender, alignment, Return-Path, and the rest.

Still unsure whether a source is safe to ignore? Email support@dmarcula.com with the source and what you're seeing, and we'll take a look with you.