DMARC failure on valid Amazon IP

I've been encountering DMARC SPF failures involving valid amazonses.com IP addresses. Despite conducting online checks, which consistently return positive results for the domain and IP, the issue persists.

SPF Record:

Type: TXT Record
Host: @
Value: v=spf1 mx a:mail.removed.com include:amazonses.com ~all
TTL: 5 min

DMARC Record:

Type: TXT Record
Host: _dmarc
Value: v=DMARC1; p=none; sp=none; rua=mailto:dmarca@removed.com; ruf=mailto:dmarcf@removed.com; fo=1;
TTL: 5 min

Report domain: removed.com Submitter: google.com Report-ID: 12465985587323400066

<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
  <report_metadata>
    <org_name>google.com</org_name>
    <email>noreply-dmarc-support@google.com</email>
    <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
    <report_id>12465985587323400066</report_id>
    <date_range>
      <begin>1719446400</begin>
      <end>1719532799</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>removed.com</domain>
    <adkim>r</adkim>
    <aspf>r</aspf>
    <p>none</p>
    <sp>none</sp>
    <pct>100</pct>
    <np>none</np>
  </policy_published>
  <record>
    <row>
      <source_ip>23.249.218.18</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>removed.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>removed.com</domain>
        <result>pass</result>
        <selector>7f6dpaur5ahbp7h5ihilmzyre5fq4p22</selector>
      </dkim>
      <dkim>
        <domain>amazonses.com</domain>
        <result>pass</result>
        <selector>pgxy5mtxzx6eoyytua4nvvg26jbuf6lj</selector>
      </dkim>
      <spf>
        <domain>eu-west-2.amazonses.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
</feedback>

The ARIN WHOIS data confirms the failed SPF source IP belongs to Amazon Web Services.

NetRange:       23.249.208.0 - 23.249.223.255
CIDR:           23.249.208.0/20
NetName:        AWSEMAIL
NetHandle:      NET-23-249-208-0-1
Parent:         NET23 (NET-23-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS16509
Organization:   Amazon Web Services, Inc. (AMAZO-22)
RegDate:        2018-10-11
Updated:        2019-03-29

Running a dig txt amazonses.com +short command returns:

"yahoo-verification-key=OL6T0cZm2ykeymVyCj7mnvnTL3zAtLwrRXGAgBFtvFw="
"google-site-verification=aOJq8aXEtCO23r176f6iOTGt-RVuPv81XPtBuIzRTx0"
"v=spf1 ip4:199.255.192.0/22 ip4:199.127.232.0/22 ip4:54.240.0.0/18 ip4:69.169.224.0/20 ip4:23.249.208.0/20 ip4:23.251.224.0/19 ip4:76.223.176.0/20 ip4:54.240.64.0/19 ip4:54.240.96.0/19 ip4:76.223.128.0/19 ip4:216.221.160.0/19 ip4:206.55.144.0/20 -all"
"mailru-verification: 71ab435de908d6ed"

The SPF record includes the IP range 23.249.208.0/20, which encompasses 23.249.218.18. Despite online SPF checks validating this, DMARC reports indicate failure. The issue has persisted from 18 June 2024 to today.

The DMARC reports cite several IPs within this range:

    <row>
      <source_ip>23.249.218.13</source_ip>
      <source_ip>23.249.218.14</source_ip>
      <source_ip>23.249.218.17</source_ip>
      <source_ip>23.249.218.18</source_ip>

These reports originate from Google, Mimecast, Yahoo, Outlook, and others.