there are times

that try my patience. Usually with poorly implemented filtering tools of one form or another.
The SPF mechanism is to provide an anti-spoofing system, which identifies which machines are allowed to send email in your domain name.
The tools that purport to test it? Not so good. I get conflicting answers from various tools for a simple SPF record. The online tester (interactive) seems to work and show me my config is working nicely.
The email tester, shows it is working nicely.
The spf policy framework for postfix goes ::shrug::
Some corporate SPF framework with minimal visibility, and no support for non-customers (the ones whose email it is miss-classifying) claims there is a problem.
The DKIM bits seem to work. I’ve not set up DMARC (yet) though I might.
Curiously, all of this is for the $dayjob using the google mail system. For this system, no such issues. Everything seems to work.
Honestly, I think it is time for people to set up a emailtest@domainname so that it becomes easy to diagnose problems with legitimate email. I just wrestled with an earlier header problem (which wasn’t our problem per se, but I am trying to be helpful). Now I have other folks simply rejecting mail for no apparent reason.
Stuff like this wastes my time/effort, makes technology far less fun.
I have more important things to do than to waste on this.