spf feedback shows fails for no apparent reason

Question

I do not understand the fail results in the following spf report.

Why is it that in the <policy_evaluated> section there are fail tags and in the following <auth_results> everything passes?

Here is our spf record: "v=spf1 mx a include:amazonses.com ~all"

    <?xml version="1.0" encoding="UTF-8" ?>
<feedback>
  <report_metadata>
    <org_name>google.com</org_name>
    <email>[email protected]</email>
    <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
    <report_id>10168101214609039763</report_id>
    <date_range>
      <begin>1602806400</begin>
      <end>1602892799</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>schlossberlepsch.de</domain>
    <adkim>r</adkim>
    <aspf>r</aspf>
    <p>reject</p>
    <sp>reject</sp>
    <pct>100</pct>
  </policy_published>
  <record>
    <row>
      <source_ip>54.240.48.132</source_ip>
      <count>4</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>schlossberlepsch.de</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>schlossberlepsch.de</domain>
        <result>pass</result>
        <selector>u32rudoqdsij3cpvxopve4co5vuh4wum</selector>
      </dkim>
      <dkim>
        <domain>amazonses.com</domain>
        <result>pass</result>
        <selector>224i4yxa5dv7c2xz3womw6peuasteono</selector>
      </dkim>
      <spf>
        <domain>amazonses.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
  
  
</feedback>

Answer 1

Finally I understood:

As @synchro pointed out, this documentation is the right direction.

I already met all this but what I did not know is what Fabi points out here :

Not only you have to set the MAilFrom settings at the domain level, but also for each E-Mail address managed by AWS in SES. Something you wouldn't expect, but that's how it goes.

Answer 2

SPF is failing because of alignment. If you check SPF under auth_results you will see the SPF domain is amazonses.com. Which is not aligning with your domain. So to align, header_from and SPF domain should match either with help of the subdomain (Relaxed Alignment) or root domain (Strict Alignment).

To do so you have to head over to Amazon SES and after selecting your domain you will see MAIL FROM Domain section. You have to setup that. That will actually change your Return-Path, after that it will be aligned and will start passing.