DMARC does NOT require SPF alignment!
Again, DMARC does NOT require SPF alignment!
From the DMARC RFC7489:
Identifier Alignment: When the domain in the RFC5322.From address
matches a domain validated by SPF or DKIM (or both), it has
Identifier Alignment.
(For reference, the RFC5322.From address is the actual "from" address that the email client shows a user.)
All you need is DKIM for DMARC to work
Once you setup dkim with gsuite, then you don't need to worry about the SPF on domain aliases.
Summary
Go to gsuite, setup dkim for all of your domains, add your dmarc dns records to all of your domains, and that's it.
Read More
For a pretty picture of the whole thing and a complete description that actually makes sense, please see Ivan Kovachev's excellent writeup - All you need to know about SPF, DKIM and DMARC
P.S. What about the "require=" attribute?
It makes no difference if you add this. It's never read or used. It adds an extra hop (alias.domain -> primary.domain -> _spf.google.com).
Why? The recipient email server only checks SPF for the address in the return-path. When Gsuite sends email from a domain alias, it uses the primary domain in the return-path. Therefore, the recipient email server only checks the SPF record for the primary domain. It never looks at the domain alias's SPF record.
Do you need an SPF record on the domain alias?
Yes. It will protect your alias from abuse. It won't affect DMARC or mail delivery.