DMARC is reporting that a small fraction of our emails originate from google, microsoft, and some other providers.
DMARC is also reporting that a good chunk of those emails fail both SPF and DKIM, and therefore fail DMARC.
We don't use those providers to send emails, so guessing those stats reflect forwarded emails and spoofs.
Obviously SPF would fail for forwarded and spoof emails, but is it possible some legit DKIM headers get mangled in transit?
Question,
Does it make sense to include google and microsoft's SPF hosts in our SPF record to help pass DMARC for those forwarded emails, even if we don't use them to send emails?
I'm reluctant to do that as it's against the spirit of SPF and will help spoofers.
Or can we be pretty certain that those failed DMARCs reflect spoofs and in most forwarding cases DKIM headers are passed around intact?
Absolutely not. Sounds like SPF/DKIM/DMARC are working exactly as intended for you.
Your SPF record should only include hosts that you actually use to send from using your domain.
Those reports showing Microsoft and Google source emails almost certainly relate to spam messages that are using those services, so the last thing you want if for 3rd parties to receive spam email "from" your domain, do lookups on your SPF record and then accept those messages because your DNS records tell them it must be legitimate.
The only other scenario I can think of is if someone in (or working for) your organisation using using a Microsoft / Google service without your knowledge, and sending email using one of those services. In which case for now they'll fail to be delivered until they inform IT what they're doing so you can add the appropriate record. But I'd never go adding SPF records based on DMARC reports, only when I KNOW that legitimate emails really are coming from there.
Also note, forwarded emails wouldn't cause that scenario as that's not how forwarding works, unless a user was stupid enough to get their email from your domain forwarded to say their Google account, AND then set the Google account to forward emails elsewhere as well. But forwarding like that isn't recommended, and IMHO if those emails don't reach the intended recipient that's an issue for the person poorly setting up forwardings, not you and your entire organisation.
Keep your SPF record as simple as possible—don’t overcrowd it with too many authorized sending sources. Loading your SPF record with multiple hosts can result in errors, causing email receivers to ignore your messages. This can affect your sender reputation and deliverability rates.