@joao +1 We get bitten by this at work occasionally. IMHO this is Google/MS mis-using the standards. SPF and DKIM are supposed to be used during the SMTP negotiation, so a legitimate sender will get the rejection via "Return-path:". Also passing one of SPF or DKIM should be enough. Google does this, but seems to use SPF/DKIM post-delivery for spam filtering and domain listing as well, and requires them both to pass. We emit no spam but still get bitten. It feels like Google is bullying us.