SPF is based on two authenticated identifiers: RFC5321/MAIL-FROM or in the case of bounce messages where the MAIL-FROM is left blank it is based on the RFC5321/HELO-EHLO identifier.
It can be seen that in order to SPF authenticate a bounce message with respect to DMARC the HELO/EHLO hostname of the client has to align with the RFC5321/From address found in an email. This means that your SPF record should include the HELO/EHLO domain in DNS and be configured appropriately.
In cases where it is not possible to align the HELO/EHLO hostname to the From address of an email, DKIM signing can be used where the "d=" domain matches the From domain. Mail flow is often indirect and in those cases DKIM is the preferable protocol to SPF and increases the chances of emails being delivered.