Should SPF hardfail be enforced if DMARC is in place?

Email marketer from Postmark explains that the purpose of DMARC is for recipients to check the SPF and DKIM records, and if it fails, it will follow the DMARC policy. If it passes, then other failures are irrelevant.

Email marketer from MXToolbox shares that DMARC allows domain owners to specify how email receivers should handle messages that fail authentication checks (SPF and DKIM). If the message passes DMARC because one authentication method aligns, hard fail is irrelevant.

Email marketer from Reddit explains DMARC is the 'tie breaker' and if the email aligns with DMARC, the mail provider will follow the instructions in the DMARC record, regardless of the SPF or DKIM results. The goal of DMARC is to protect your domain.

Email marketer from Word to the Wise shares that modern email authentication best practices suggest focusing on DMARC alignment. If DMARC is properly configured and passes, the SPF result is less critical.

Marketer from Email Geeks mentions that most systems defer to DMARC and do not enforce SPF hardfail, although some do honor "-all" and stop processing at MAIL FROM.

Email marketer from Cloudflare explains that DMARC allows domain owners to tell receiving mail servers what to do with messages that fail SPF or DKIM checks. This policy decision lets the owner decide if SPF is enough.

Marketer from Email Geeks states that no major MBPs enforce on just spf hardfail and that DMARC is now the policy layer.

Marketer from Email Geeks shares that M3AAWG’s Email Auth Best Practices says DMARC pass overrides SPF hardfail unless the SPF record is “v=spf1 -all”.

Email marketer from AuthSMTP explains that DMARC uses both SPF and DKIM to determine if an email is legitimate and in keeping with the domain owners wishes. If these pass, DMARC will override any previous SPF and DKIM failures.

Marketer from Email Geeks shares that the MAAWG document might be helpful since it states that domain owners should use soft fail except for, of course, v=spf -ALL. And I do think that this statement strengthens the case in the section for receivers: A DMARC pass overrides an SPF fail verdict... Because a DMARC pass requires only a DKIM or SPF pass (with proper domain alignment) and because it’s not uncommon for a Return-Path (RFC5321.From) domain to not align with the header From (RFC5322.From) domain, an SPF Fail verdict (which occurs when the SPF record ends in “-all” and the SPF check does not pass) should not result in a message rejection until after DMARC has been evaluated and been found to not pass.

Marketer from Email Geeks suggests asking if a colleague believes DMARC validation should occur on inbound mail, and if so, how that's possible if messages are bounced at MAIL FROM due to SPF hardfail.

Email marketer from StackExchange explains that DMARC is designed to override SPF. If DMARC passes, it doesn't matter if SPF fails (hard or soft). DMARC is the higher authority. DMARC tells the receiving server what to do if SPF or DKIM fails.

Expert from Word to the Wise states that DMARC alignment allows domains to protect themselves from unauthorized use and spoofing by bad actors. A DMARC policy informs mail receivers what to do with messages that fail authentication, offering choices from no action to quarantining or rejecting the messages. This is key for securing email communications.

Documentation from Microsoft explains that DMARC uses the results of SPF and DKIM to determine whether a message is legitimate. If DMARC validation passes, the mail is treated as genuine even if SPF fails, as long as DKIM passes and aligns or vice-versa.

Documentation from DMARC.org explains that DMARC builds upon SPF and DKIM, acting as a policy layer. If DMARC passes (due to either SPF or DKIM alignment), the specific SPF result is less important.

Documentation from Google explains that if an email fails SPF but passes DMARC, the DMARC result takes precedence, and the email is handled according to the DMARC policy.