I reached out on Twitter while it was still in closed beta and received a quick reply from João Botto (on a weekend!) letting me in and taking on board my feedback. I’m super grateful for that.
This is in stark contrast to the runaround Google Workspace has given me - their catch-all forwarding doesn’t deal with SPF correctly and they’ve stonewalled my attempts to get if fixed or even to say they’ll log an internal bug report. This is disappointing because I upgraded to the paid Business Starter plan (shortly before learning I’d have to anyway) and you have to pay minimum $500/month to get onto a proper support plan.
Cloudflare already beats Google by setting the Return-Path header. However I think using that header is still a bit of a workaround, so I would like to suggest that you look into implementing Authenticated Received Chain (ARC). I could be wrong but I think this is the gold standard that will ensure an email lands with DKIM and SPF (and therefore also DMARC) handled correctly,
From what I can see with test accounts, at least Gmail and Outlook support ARC already.