When adding a new vendor it is not unusual for the vendor to have an automated process to verify that the SPF and/or DKIM settings are properly configured on the sending domain. In most cases, this is simply a text match that is looking for a specific SPF include mechanism or specific DKIM key.
In general, DKIM verification is not a problem but there are occasionally difficulties with getting SPF validated. Since the vendor is doing a simple text match, they will not properly parse the Enforce Macros and will fail validation.
There are several approached we can take to this. The first is to make contact with the vendor and ask them to bypass their verification process. In many cases, this will need to be escalated within the vendor.
The second method is to temporarily add the vendor's SPF include to the end of the SPF record as shown in the example below, perform the verification and then remove the vendor include. Since Instant SPF will return the proper SPF response for the service, the service will continue to authenticate via SPF after the include is removed.
v=spf1 include:domain.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email include:vendor.com ~all
There is one outlier to this approach that has been identified. The service StatusPage periodically does re-verification of the SPF include so if you are using StatusPage, you will need to add the StatusPage include to the end of the SPF record (as shown below) and leave it there.
v=spf1 include:domain.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email include:stspg-customer.com ~all