I'm trying to maximize my company's email deliverability and DMARC reports tell me we are failing DMARC SPF alignment with calendar-server.bounces.google.com which I suspect is the email server sending calendar invites on our behalf.
I understand SPF alignment isn't 100% required since we have DKIM alignment, but still wonder if it's worth fixing and if it safe to add calendar-server.bounces.google.com to our SPF record.
No, messages with this sender are not authorized by you beyond what their signature says, and you should avoid any strategy of signalling to other servers that they were.
Google Calendar invites have been used for rather annoying phishing campaigns before. After the mechanism was already well known from similar Google Groups abuse. And the time until and the way Google dealt with it does not instill confidence that Google has allocated the necessary resources to shut down such abuse for good, so you should be glad that recipients can make better informed decisions purely based on the signature.
