Thought it best to post this as some people do not understand sometimes when the SPF tool fails (especially if you run an SPF redirect which we do.) or appears to fail.
This is direct from support: "The SPF validator in the Marketo client is pretty primitive - all it does is look up the initial text record and check to see if it has "include:mktomail.com" in it. It doesn't do an actual evaluation of the policy. ... The upshot of this is that your SPF record is good and is working correctly, even though the validator in the Admin panel cannot recognize it. In this case, I would disregard Admin panel's validation failure - it is really only for informational purposes and does not impact the actual functionality of your instance or the deliverability of your emails".
Bottom line is - if you see a pending config but your IT has said its working - believe your IT department as currently the SPF validator is hit and miss!
You SPF also has no meaning at all for Marketo emails that come from username@*.mktomail.com It will not be looked up by the receiving server.
Thank you! We have the same issue (I guess)
We have one SPF record for domain A that redirects to domain B. This domain B has a SPF record with include:mktomail.com.
This worked fine, until recently. We now get the SPF Configuration Error for the redirect, which we can ignore, as I understand correctly 😉