DMARC is reporting that a small fraction of our emails originate from google, microsoft, and some other providers.
DMARC is also reporting that a good chunk of those emails fail both SPF and DKIM, and therefore fail DMARC.
We don't use those providers to send emails, so guessing those stats reflect forwarded emails and spoofs.
Obviously SPF would fail for forwarded and spoof emails, but is it possible some legit DKIM headers get mangled in transit?
Question,
Does it make sense to include google and microsoft's SPF hosts in our SPF record to help pass DMARC for those forwarded emails, even if we don't use them to send emails?
I'm reluctant to do that as it's against the spirit of SPF and will help spoofers.
Or can we be pretty certain that those failed DMARCs reflect spoofs and in most forwarding cases DKIM headers are passed around intact?