SPF record with DMARC policy is not picking up the policy

We are now going through security verification, and we are using SecurityScorecard for it. One of the issues that we are still trying to fight, is the SPF record.

The details of the error are as follows:

SPF softfail record without DMARC policy detected.

Now, I could, of course, set it to HardFail, but I wanted to have the policy to quarantine first. But it seems to not work.

Here are the two record that I currently have:

v=DMARC1; p=quarantine; sp=quarantine; rua=mailto:[email protected]!10m; ruf=mailto:[email protected]!10m; rf=afrf; pct=100; ri=86400

v=spf1 include:servers.mcsv.net include:spf.sendinblue.com mx include:_spf.google.com ~all

I was under the assumption that the DMARC record is the one setting the policy. What am I doing wrong here?

I was under the assumption that the DMARC record is the one setting the policy. What am I doing wrong here?

The DMARC policy is effective, if the recipient is capable of DMARC. Otherwise, if the recipient is only validating SPF, the SPF action is effective.

But in addition, SecurityScorecard may on top set higher requirements for consistency, even if it is not required my the DMARC/SPF standards.

Has the DMARC record been validated to be effective (i.e. correctly configured)?