SPF: how to cleanly allow thunderbird mail client

I'm trying to help a user to configure its mail server here https://discourse.nixos.org/t/simple-nixos-mailserver-message-rejected-due-to-spf-fail-not-authorized/38067/5, but they get SPF-related errors.

They configured a spf entry v=spf1 a:mail.gaykitty.lol -all in order to forbid any user to send and email in the name of gaykitty.lol without going through their email server, which seems to make sense to me. But then they get a SPF error when they use clients like thunderbird, since the client is not on the same IP address as the server. This error is obtained even before sending the message.

What is the proper way to allow clients to use thunderbird? I guess one could use +all but it seems quite dirty as it allows everyone to send emails in the name of gaykitty (at least in my understanding), and such email spoofing is obviously something to avoid. I was also thinking to use:

mailserver.policydSPFExtraConfig = ''
  skip_addresses = 0.0.0.0/32
'';

But no idea if this is the correct way to proceed.

My understanding is that:

1. Thunderbird contacts the web server with credentials
2. Web server replaces the ip of client in the email with its own ip
3. Email is sent with ip from webserver, passing the spf check performed by the receiver of the email.

But apparently things are not that simple…