So why doesn't Intuit just create it's own _spf.intuit.com TXT record in its DNS server that all your customers can just add an "include" in their own domain SPF record? That way you would own and control your own list of (approx) 30 servers that send out mail for your clients. You could swap out and in new hostnames based on your capacity and system changes and just update your own record once and mitigate customer frustration.
Other benefits include not wasting your staff resources to respond to these sorts of emails and not wasting the time and energy of your customers in trying to explain the problems. It's just what good companies do for their clients.
I understand that SPF and DKIM records are new addition to the email security methodology for all of us but the problem is just going to get worse unless it's managed proactively.
And @rob-wilde, if you also include a DMARC record in your DNS zone with your email in the rua parameter, I believe you should get an aggregated list (depending on my mail service provider) of which messages have failed because of a failed SPF lookup. You can then verify and if necessary add these to your SPF record. Mine come in a .zip file so I had to modify my filter rules to permit DMARC reports with a ZIP file.
