AWS SES SPF record is not passing on domain?

Question

We have a domain test123.com, and we also have a client test.gov. The test123.com domain has on the SPF

spf.protection.outlook.com -all which that spf record when we send with via AWS SES passes with

Received-SPF: Pass (protection.outlook.com: domain of amazonses.com designates 54.240.9.12 as permitted sender) receiver=protection.outlook.com; client-ip=54.240.9.12; helo=a9-12.smtp-out.amazonses.com

Now in AWS SES we sent an approval to our client who approved us to send on behalf of them, but aws rejects it saying I failed the dmark Unauthenticated email from test.gov is not accepted due to\n550-5.7.26 domain's DMARC policy.

Why would we be rejected IF when I tested protection.outlook.com on a domain we control amazonses passed spf?

As I understand DMARK as long as I pass either a DKIM, or a SPF I then pass the DMARK check. Why is it that the identical SPF of protection.outlook.com works on test123.com but not on test.gov when we approve a single email identical (Domain is not approved with dkim, only single email is)

Can protection.outlook.com work differently depending on the to domain where they can have an approved sender resolves to, so if they did not set us as an approved sender in their exchange console it rejects meaning not all protection.outlook.com's are the same in the spf world?

I have never seen a spf that was not created equally, but I have no idea why it produces different results where if amazonses.com is validated on test123.com, shouldn't it validate on test.gov on just spf?

Setup DNS with enforced DMARK policy v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; sp=reject; fo=1; pct=100

which matches their dmark policy of v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; sp=reject; fo=1; pct=100

both spf's have v=spf1 include:spf.protection.outlook.com -all

Can spf.protection.outlook.com have a dynamic value returned based on the domain it is hosted on?

Answer 1

"As I understand DMARK as long as I pass either a DKIM, or a SPF I then pass the DMARK check." - True, but either SPF or DKIM has to both "pass" and "align". From the headers you've posted above it is clear that SPF is "passing" but that it isn't "aligning" to "test123.com", but rather "amazonses.com".

Is DKIM passing and aligning? Amazon SES have documentation on authenticating Amazon SES to use your custom domain ("test123.com").