SPF result is “neutral”

I have figured it out. Not surprisingly, it was me misinterpreting the report, not Google getting their DMARC implementation wrong :)

The SPF result in the policy evaluated section that I was being confused by (copy posted in OP) is the DMARC evaluated SPF result after considering alignment.

This quote here explains the issue:

Please note that the SPF and DKIM results in the auth_results are raw results, regardless of Identifier Alignment; he results of the DMARC evaluation with Identifier Alignment are in the policy_evaluated section.

I checked the rest of the record and found that the raw results for the same record were, correctly, SPF pass.

So, what the DMARC report was telling me was that, while the SPF result was indeed from outlook.com (and hence was a raw 'pass') the return path header did not match my sending domain, which produces a DMARC evaluation SPF fail. Another reference here.

Basically, do not attempt to read the XML reports directly - they are hard for humans! I found this DMARC xml parser which does a fabulous job of allowing you to clearly see what the DMARC report is trying to tell you.

Your SPF record for the sending domain should read something like "v=spf1 a mx include:_spf.example.com ~all". Replace "_spf.example.com" with the domain for your vendor's SPF record. If they don't have one, switch vendors. Specify IP addresses if you need them as "ipv4:192.0.2.4" or "ipv4:192.0.2.64/28".

I would recommend SPF records for all your domains. Use "v=spf1 a -all" for your mail server domains and "v=spf1 -all" for all other domains not used in email addresses. The mail server domain should not be appearing in email addressses so it won't have an MX record. But the mail server will be sending mail so it needs the A record to allow host validationn to succeed. (Host valiation is a secondary use of SPF records and is used to verify that the mail server is allowed to send email rather than verifying the email address.)

Consider using a separate domain for email addresses in mail sent by your 3rd party mailer. It should have the appropriate SPF record which might not include your mail server. You can then shorten your SPF record for your domain to "v=spf1 a ~all".

I do recommend that you get to the point where you can use "-all" on the domain you use for corporate communications as soon as possible.

You should also look at implementing DKIM and DMARC as well. Once you have DMARC running you can get automated feedback on your reputation from several large email sites.