Addendum: You need to set a strict dmarc policy for the checks to fail. Interestingly, the sites will tell you all three are correct and valid, but still fail the mail.. This is probably due to different pieces of software doing the dns record checking and the email validation.