Updated SPF record, but verification still failing

Situation: you have updated your SPF record with what you found to be the egress IP address of messages being sent on your domains' behalf (or the vendor's full include).  However DMARC data continues to indicate that your SPF verification fails.

Explanation: to pass SPF verification in a way which will pass DMARC, the domain in use in mailfrom by the sender must match the From header domain.  See 'alignment' requirements for DMARC.

Adding some sort of entry to your domain's SPF record is completely useless unless the source of the message (the sender) also uses your domain in the mailfrom of messages that they send for you.

Solution: [if you want this traffic to pass DMARC on the SPF leg] you must work with your vendor (the source/sender of the message traffic) to

1. make sure that they can+will use your domain to cause messages to pass SPF with your domain
   1. note that this is not always completely desirable, because ESPs can/do make use bounce/delay/unsub information that comes directly to them when their domain is the returnpath (mailfrom). The most common example of this is salesforce.com (including pardot.com) - you can work with them to enable DMARC compliance via SPF, but many choose to simply rely on DKIM. In that case you should not retain the entry in your domain's SPF record.
2. obtain direction in how to correctly update your SPF record with allowances for this specific vendor
   1. Some direction relating to the above may be available for your vendor via the 'Source Capabilities' area in the dmarcian application UI or via our public dmarc.io resource, but the best direction will be from your support contact at the vendor themselves.