SPF failure

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

SPF failure

Phil Stracchino
I have mail from one specific domain (handled by Google) being rejected
by pypolicyd-spf because of an apparent DNS lookup problem — 'SPF
Permanent Error: Too many DNS lookups' — but it is not obvious to me
what the problem is, unless it's something to do with having five MX
forwarders to look up.  Only this one domain seems to be affected.  I
can SEND mail to them, but not RECEIVE mail from them.  I have added
forevermetalroofs.com to pypolicyd's domain whitelist, and it didn't help.


Their SPF record is:

forevermetalroof.com descriptive text "v=spf1 a mx
include:websitewelcome.com +include:sendgrid.net ~all"


And here's the log of the last failure:


Jul 15 13:48:59 minbar postfix/postscreen[24844]: CONNECT from
[209.85.160.176]:37644 to [10.24.32.15]:25
Jul 15 13:49:05 minbar postfix/postscreen[24844]: PASS NEW
[209.85.160.176]:37644
Jul 15 13:49:05 minbar postfix/smtpd[25113]: connect from
mail-qt1-f176.google.com[209.85.160.176]
Jul 15 13:49:05 minbar postfix/smtpd[25113]: warning: connect to Milter
service inet:localhost:8891: Connection refused
Jul 15 13:49:05 minbar postfix/smtpd[25113]: Anonymous TLS connection
established from mail-qt1-f176.google.com[209.85.160.176]: TLSv1.2 with
cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Jul 15 13:49:05 minbar postfix/smtpd[25113]: NOQUEUE: permit: RCPT from
mail-qt1-f176.google.com[209.85.160.176]: action=permit for Helo
command=mail-qt1-f176.google.com ; from=<[hidden email]>
to=<[hidden email]> proto=ESMTP helo=<mail-qt1-f176.google.com>
Jul 15 13:49:11 minbar policyd-spf[25139]: Starting
Jul 15 13:49:11 minbar policyd-spf[25139]: Config: {'debugLevel': 3,
'HELO_reject': 'SPF_Not_Pass', 'Mail_From_reject': 'SPF_Not_Pass',
'PermError_reject': 'True', 'TempError_Defer': 'True', 'skip_addresses':
'127.0.0.0/8,::ffff:127.0.0.0/104,::1', 'TestOnly': 1,
'SPF_Enhanced_Status_Codes': 'Yes', 'Header_Type': 'SPF',
'Hide_Receiver': 'Yes', 'Authserv_Id': 'minbar', 'Lookup_Time': 20,
'Whitelist_Lookup_Time': 10, 'Void_Limit': 2, 'Reason_Message': 'Message
{rejectdefer} due to: {spf}. Please see {url}', 'No_Mail': False,
'Mock': False, 'Whitelist': '10.24.32.0/20', 'Domain_Whitelist':
'thisistrue.com, forum.thisistrue.com, beefruityandnutty.com,
kimmel.com, novylen.net, pluspora.com, forevermetalroofs.com',
'HELO_Whitelist': 'hades.listmoms.net, panini.novylen.net,
fritter.limelight.ca'}
Jul 15 13:49:11 minbar policyd-spf[25139]: spfcheck: pyspf result:
"['None', '', 'helo']"
Jul 15 13:49:11 minbar policyd-spf[25139]: None; identity=no SPF record;
client-ip=209.85.160.176; helo=mail-qt1-f176.google.com;
envelope-from=[hidden email]; receiver=<UNKNOWN>
Jul 15 13:49:11 minbar policyd-spf[25139]: spfcheck: pyspf result:
"['Permerror', 'SPF Permanent Error: Too many DNS lookups', 'mailfrom']"
Jul 15 13:49:11 minbar policyd-spf[25139]: Permerror; identity=mailfrom;
client-ip=209.85.160.176; helo=mail-qt1-f176.google.com;
envelope-from=[hidden email]; receiver=<UNKNOWN>
Jul 15 13:49:11 minbar policyd-spf[25139]: Action: reject: Text: Message
rejected due to: SPF Permanent Error: Too many DNS lookups. Please see
http://www.openspf.net/Why?s=mfrom;id=deb@...;ip=209.85.160.176;r=<UNKNOWN>
Reject action: 550 5.7.24
Jul 15 13:49:11 minbar policyd-spf[25139]: 550 5.7.24 Message rejected
due to: SPF Permanent Error: Too many DNS lookups. Please see
http://www.openspf.net/Why?s=mfrom;id=deb@...;ip=209.85.160.176;r=<UNKNOWN>
Jul 15 13:49:11 minbar postfix/smtpd[25113]: NOQUEUE: reject: RCPT from
mail-qt1-f176.google.com[209.85.160.176]: 550 5.7.24
<[hidden email]>: Recipient address rejected: Message rejected
due to: SPF Permanent Error: Too many DNS lookups. Please see
http://www.openspf.net/Why?s=mfrom;id=deb@...;ip=209.85.160.176;r=<UNKNOWN>;
from=<[hidden email]> to=<[hidden email]> proto=ESMTP
helo=<mail-qt1-f176.google.com>
Jul 15 13:49:11 minbar postfix/smtpd[25113]: disconnect from
mail-qt1-f176.google.com[209.85.160.176] ehlo=2 starttls=1 mail=1
rcpt=0/1 bdat=0/1 quit=1 commands=5/7
Jul 15 13:50:51 minbar policyd-spf[25139]: Normal exit


It's not clear to me what the problem is here.  Can anyone advise or
point out anything I've missed?



--
  Phil Stracchino
  Babylon Communications
  [hidden email]
  [hidden email]
  Landline: +1.603.293.8485
  Mobile:   +1.603.998.6958
Reply | Threaded
Open this post in threaded view
|

RE: SPF failure

angelo
When you plug your domain [forevermetalroof.com] in here you see too many lookups explained better

https://dmarcian.com/spf-survey/

limit is 10.

-ANGELO FAZZINA

[hidden email]
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-----Original Message-----
From: [hidden email] <[hidden email]> On Behalf Of Phil Stracchino
Sent: Monday, July 15, 2019 2:02 PM
To: [hidden email]
Subject: SPF failure

I have mail from one specific domain (handled by Google) being rejected
by pypolicyd-spf because of an apparent DNS lookup problem — 'SPF
Permanent Error: Too many DNS lookups' — but it is not obvious to me
what the problem is, unless it's something to do with having five MX
forwarders to look up.  Only this one domain seems to be affected.  I
can SEND mail to them, but not RECEIVE mail from them.  I have added
forevermetalroofs.com to pypolicyd's domain whitelist, and it didn't help.


Their SPF record is:

forevermetalroof.com descriptive text "v=spf1 a mx
include:websitewelcome.com +include:sendgrid.net ~all"


And here's the log of the last failure:


Jul 15 13:48:59 minbar postfix/postscreen[24844]: CONNECT from
[209.85.160.176]:37644 to [10.24.32.15]:25
Jul 15 13:49:05 minbar postfix/postscreen[24844]: PASS NEW
[209.85.160.176]:37644
Jul 15 13:49:05 minbar postfix/smtpd[25113]: connect from
mail-qt1-f176.google.com[209.85.160.176]
Jul 15 13:49:05 minbar postfix/smtpd[25113]: warning: connect to Milter
service inet:localhost:8891: Connection refused
Jul 15 13:49:05 minbar postfix/smtpd[25113]: Anonymous TLS connection
established from mail-qt1-f176.google.com[209.85.160.176]: TLSv1.2 with
cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Jul 15 13:49:05 minbar postfix/smtpd[25113]: NOQUEUE: permit: RCPT from
mail-qt1-f176.google.com[209.85.160.176]: action=permit for Helo
command=mail-qt1-f176.google.com ; from=<[hidden email]>
to=<[hidden email]> proto=ESMTP helo=<mail-qt1-f176.google.com>
Jul 15 13:49:11 minbar policyd-spf[25139]: Starting
Jul 15 13:49:11 minbar policyd-spf[25139]: Config: {'debugLevel': 3,
'HELO_reject': 'SPF_Not_Pass', 'Mail_From_reject': 'SPF_Not_Pass',
'PermError_reject': 'True', 'TempError_Defer': 'True', 'skip_addresses':
'127.0.0.0/8,::ffff:127.0.0.0/104,::1', 'TestOnly': 1,
'SPF_Enhanced_Status_Codes': 'Yes', 'Header_Type': 'SPF',
'Hide_Receiver': 'Yes', 'Authserv_Id': 'minbar', 'Lookup_Time': 20,
'Whitelist_Lookup_Time': 10, 'Void_Limit': 2, 'Reason_Message': 'Message
{rejectdefer} due to: {spf}. Please see {url}', 'No_Mail': False,
'Mock': False, 'Whitelist': '10.24.32.0/20', 'Domain_Whitelist':
'thisistrue.com, forum.thisistrue.com, beefruityandnutty.com,
kimmel.com, novylen.net, pluspora.com, forevermetalroofs.com',
'HELO_Whitelist': 'hades.listmoms.net, panini.novylen.net,
fritter.limelight.ca'}
Jul 15 13:49:11 minbar policyd-spf[25139]: spfcheck: pyspf result:
"['None', '', 'helo']"
Jul 15 13:49:11 minbar policyd-spf[25139]: None; identity=no SPF record;
client-ip=209.85.160.176; helo=mail-qt1-f176.google.com;
envelope-from=[hidden email]; receiver=<UNKNOWN>
Jul 15 13:49:11 minbar policyd-spf[25139]: spfcheck: pyspf result:
"['Permerror', 'SPF Permanent Error: Too many DNS lookups', 'mailfrom']"
Jul 15 13:49:11 minbar policyd-spf[25139]: Permerror; identity=mailfrom;
client-ip=209.85.160.176; helo=mail-qt1-f176.google.com;
envelope-from=[hidden email]; receiver=<UNKNOWN>
Jul 15 13:49:11 minbar policyd-spf[25139]: Action: reject: Text: Message
rejected due to: SPF Permanent Error: Too many DNS lookups. Please see
https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.openspf.net%2FWhy%3Fs%3Dmfrom%3Bid%3Ddeb%40forevermetalroof.com%3Bip%3D209.85.160.176%3Br&amp;data=02%7C01%7Cangelo.fazzina%40uconn.edu%7Cd92a45cb4fc241a5fbfa08d7094eb7c9%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636988106010931867&amp;sdata=TLhXSm4Q4XB98CnmW0bYqF27Hr2O7bDbTKLGe%2FzMl1A%3D&amp;reserved=0=<UNKNOWN>
Reject action: 550 5.7.24
Jul 15 13:49:11 minbar policyd-spf[25139]: 550 5.7.24 Message rejected
due to: SPF Permanent Error: Too many DNS lookups. Please see
https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.openspf.net%2FWhy%3Fs%3Dmfrom%3Bid%3Ddeb%40forevermetalroof.com%3Bip%3D209.85.160.176%3Br&amp;data=02%7C01%7Cangelo.fazzina%40uconn.edu%7Cd92a45cb4fc241a5fbfa08d7094eb7c9%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636988106010941866&amp;sdata=jh35z03ccmg%2F5pRDO6IHN0peiw8%2BK2z%2FoAGniO0xDnk%3D&amp;reserved=0=<UNKNOWN>
Jul 15 13:49:11 minbar postfix/smtpd[25113]: NOQUEUE: reject: RCPT from
mail-qt1-f176.google.com[209.85.160.176]: 550 5.7.24
<[hidden email]>: Recipient address rejected: Message rejected
due to: SPF Permanent Error: Too many DNS lookups. Please see
https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.openspf.net%2FWhy%3Fs%3Dmfrom%3Bid%3Ddeb%40forevermetalroof.com%3Bip%3D209.85.160.176%3Br&amp;data=02%7C01%7Cangelo.fazzina%40uconn.edu%7Cd92a45cb4fc241a5fbfa08d7094eb7c9%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636988106010941866&amp;sdata=jh35z03ccmg%2F5pRDO6IHN0peiw8%2BK2z%2FoAGniO0xDnk%3D&amp;reserved=0=<UNKNOWN>;
from=<[hidden email]> to=<[hidden email]> proto=ESMTP
helo=<mail-qt1-f176.google.com>
Jul 15 13:49:11 minbar postfix/smtpd[25113]: disconnect from
mail-qt1-f176.google.com[209.85.160.176] ehlo=2 starttls=1 mail=1
rcpt=0/1 bdat=0/1 quit=1 commands=5/7
Jul 15 13:50:51 minbar policyd-spf[25139]: Normal exit


It's not clear to me what the problem is here.  Can anyone advise or
point out anything I've missed?



--
  Phil Stracchino
  Babylon Communications
  [hidden email]
  [hidden email]
  Landline: +1.603.293.8485
  Mobile:   +1.603.998.6958
Reply | Threaded
Open this post in threaded view
|

Re: SPF failure

Bill Cole-3
In reply to this post by Phil Stracchino
On 15 Jul 2019, at 14:02, Phil Stracchino wrote:

> I have mail from one specific domain (handled by Google) being
> rejected
> by pypolicyd-spf because of an apparent DNS lookup problem — 'SPF
> Permanent Error: Too many DNS lookups'

That should not cause rejection. It should be the equivalent of not
having any SPF record or a "neutral" result.

> — but it is not obvious to me
> what the problem is, unless it's something to do with having five MX
> forwarders to look up.

It is but the 5 GMail MXs are only part of the problem.

A SPF record must not require more than 10 DNS lookups to resolve fully.
See https://tools.ietf.org/html/rfc7208#section-4.6.4. The 5 MX records
eat 5 of those.


> Only this one domain seems to be affected.  I
> can SEND mail to them, but not RECEIVE mail from them.  I have added
> forevermetalroofs.com to pypolicyd's domain whitelist, and it didn't
> help.

I don't know anything about pypolicyd but if it insists on rejecting
mail with a logically neutral SPF result, it's not something I'd want to
know about...

> Their SPF record is:
>
> forevermetalroof.com descriptive text "v=spf1 a

1 lookup for the 'a' mechanism

> mx

5 for the 'mx' mechanism returning 5 records, so we are at 6 total

> include:websitewelcome.com

1 lookup for the include for a running total of 7 so far, BUT now we
need to evaluate what's inside that include:

    include:spf.websitewelcome.com
    include:spf1.websitewelcome.com
    include:spfgwp.websitewelcome.com
    include:_spf.google.com

That's 4 more lookups to be done, so we're dead at 11. Even if that was
not enough, it looks to me like the full resolution of the SPF record
for websitewelcome.com through all of those includes (with layers of
includes within them!) requires *13* DNS lookups, of which I will spare
you the gory details. So anyone with "include:websitewelcome.com" is
going to have a broken SPF record.

Some SPF implementations will accommodate this sort of error and allow
more. I've seen 20 lookups allowed, so we could come in just at the
limit with a lenient tool... BUT:

> +include:sendgrid.net ~all"

BANG. 21


> And here's the log of the last failure:

[...]
> Jul 15 13:49:11 minbar policyd-spf[25139]: Starting
> Jul 15 13:49:11 minbar policyd-spf[25139]: Config: {'debugLevel': 3,
> 'HELO_reject': 'SPF_Not_Pass', 'Mail_From_reject': 'SPF_Not_Pass',

AHA! Config!

> 'PermError_reject': 'True',

I would guess that means that you have *explicitly chosen* to reject
mail when hitting a "PermError."

Don't do that.



--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Reply | Threaded
Open this post in threaded view
|

Re: SPF failure

Phil Stracchino
In reply to this post by angelo
On 7/15/19 3:12 PM, Fazzina, Angelo wrote:
> When you plug your domain [forevermetalroof.com] in here you see too many lookups explained better


Yeah, that's what I figured out and several others pointed out.  Looks
like the problem is the company's mail hosting, and their IT guy is
working on it.  For now I've temporarily SPF whitelisted the domain (but
spelled it *correctly* on the second try).



--
  Phil Stracchino
  Babylon Communications
  [hidden email]
  [hidden email]
  Landline: +1.603.293.8485
  Mobile:   +1.603.998.6958
Reply | Threaded
Open this post in threaded view
|

Re: SPF failure

Phil Stracchino
In reply to this post by Bill Cole-3
On 7/15/19 3:29 PM, Bill Cole wrote:

> On 15 Jul 2019, at 14:02, Phil Stracchino wrote:
>> And here's the log of the last failure:
>
> [...]
>> Jul 15 13:49:11 minbar policyd-spf[25139]: Starting
>> Jul 15 13:49:11 minbar policyd-spf[25139]: Config: {'debugLevel': 3,
>> 'HELO_reject': 'SPF_Not_Pass', 'Mail_From_reject': 'SPF_Not_Pass',
>
> AHA! Config!
>
>> 'PermError_reject': 'True',
>
> I would guess that means that you have *explicitly chosen* to reject
> mail when hitting a "PermError."
>
> Don't do that.

The question that comes to mind here is, if one should not reject mail
based on SPF failures, then what is even the point of checking SPF?


--
  Phil Stracchino
  Babylon Communications
  [hidden email]
  [hidden email]
  Landline: +1.603.293.8485
  Mobile:   +1.603.998.6958
Reply | Threaded
Open this post in threaded view
|

Re: SPF failure

Michael-4
In reply to this post by Phil Stracchino
According to this site, websitewelcome has 10 lookups on its own:  
https://emailstuff.org/spf/check

The websitewelcome spf record includes the google spf record, so
forevermetalroof.com shouldn't need the mx in their spf.

The emailstuff.org tool has an SPF minimizer that looks interesting. But
including IPs instead of names will make maintaining the record
difficult. Websitewelcome really needs to reduce the lookups in their
record to make life easier on their clients.




On 2019-07-15 2:40 pm, Phil Stracchino wrote:

> On 7/15/19 3:12 PM, Fazzina, Angelo wrote:
>> When you plug your domain [forevermetalroof.com] in here you see too
>> many lookups explained better
>
>
> Yeah, that's what I figured out and several others pointed out.  Looks
> like the problem is the company's mail hosting, and their IT guy is
> working on it.  For now I've temporarily SPF whitelisted the domain
> (but
> spelled it *correctly* on the second try).
Reply | Threaded
Open this post in threaded view
|

Re: SPF failure

Noel Jones-2
In reply to this post by Phil Stracchino
On 7/15/2019 2:44 PM, Phil Stracchino wrote:

> On 7/15/19 3:29 PM, Bill Cole wrote:
>> On 15 Jul 2019, at 14:02, Phil Stracchino wrote:
>>> And here's the log of the last failure:
>>
>> [...]
>>> Jul 15 13:49:11 minbar policyd-spf[25139]: Starting
>>> Jul 15 13:49:11 minbar policyd-spf[25139]: Config: {'debugLevel': 3,
>>> 'HELO_reject': 'SPF_Not_Pass', 'Mail_From_reject': 'SPF_Not_Pass',
>>
>> AHA! Config!
>>
>>> 'PermError_reject': 'True',
>>
>> I would guess that means that you have *explicitly chosen* to reject
>> mail when hitting a "PermError."
>>
>> Don't do that.
>
> The question that comes to mind here is, if one should not reject mail
> based on SPF failures, then what is even the point of checking SPF?
>
>

Please distinguish between "SPF check failed because this is not an
authorized IP" and "SPF could not be checked because of a malformed
record or infrastructure failure".   This is the latter, and the
reasonable action is to ignore the SPF record.



   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: SPF failure

Phil Stracchino
On 7/15/19 4:08 PM, Noel Jones wrote:
> On 7/15/2019 2:44 PM, Phil Stracchino wrote:
>>
>> The question that comes to mind here is, if one should not reject mail
>> based on SPF failures, then what is even the point of checking SPF?
>
> Please distinguish between "SPF check failed because this is not an
> authorized IP" and "SPF could not be checked because of a malformed
> record or infrastructure failure".   This is the latter, and the
> reasonable action is to ignore the SPF record.


That's a good point.  I hadn't thought about it that way.


--
  Phil Stracchino
  Babylon Communications
  [hidden email]
  [hidden email]
  Landline: +1.603.293.8485
  Mobile:   +1.603.998.6958
Reply | Threaded
Open this post in threaded view
|

Re: SPF failure

Bill Cole-3
In reply to this post by Phil Stracchino
On 15 Jul 2019, at 15:44, Phil Stracchino wrote:

> On 7/15/19 3:29 PM, Bill Cole wrote:
>> On 15 Jul 2019, at 14:02, Phil Stracchino wrote:
>>> And here's the log of the last failure:
>>
>> [...]
>>> Jul 15 13:49:11 minbar policyd-spf[25139]: Starting
>>> Jul 15 13:49:11 minbar policyd-spf[25139]: Config: {'debugLevel': 3,
>>> 'HELO_reject': 'SPF_Not_Pass', 'Mail_From_reject': 'SPF_Not_Pass',
>>
>> AHA! Config!
>>
>>> 'PermError_reject': 'True',
>>
>> I would guess that means that you have *explicitly chosen* to reject
>> mail when hitting a "PermError."
>>
>> Don't do that.
>
> The question that comes to mind here is, if one should not reject mail
> based on SPF failures, then what is even the point of checking SPF?

A test of SPF can have exactly one out of a fixed set of 7 possible
results. A "PermError" result is not a "Fail" result, it's a technical
error. It is formally impossible to know whether the sending domain
intended to authorize the client IP or not, because SPF does not allow a
full resolution of the record as returned by DNS. It's the equivalent of
a meteor strike destroying an athletic arena: there's not a 'win' or a
'lose' for anyone.

BUT: to the actual point of the question, a lot of people (including me)
do not use any particular SPF result to make an absolute decision on
accepting or rejecting mail without checking other factors. An explicit
SPF "Fail" is so rare these days for mail that gets past postscreen that
it is more likely to be a mistake by the domain owner or an innocent
transparent forward of mail than an attempted forgery. Instead, I use
SPF Pass as a lightweight component of whitelisting, using
SpamAssassin's whitelist_auth mechanism, and SPF Fail is just a strong
but non-fatal SA rule, and SoftFail as a weaker rule. All of the other
results are best handled as identical: useless.


--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Reply | Threaded
Open this post in threaded view
|

Re: SPF failure

Phil Stracchino
On 7/15/19 4:56 PM, Bill Cole wrote:
> On 15 Jul 2019, at 15:44, Phil Stracchino wrote:

>> The question that comes to mind here is, if one should not reject mail
>> based on SPF failures, then what is even the point of checking SPF?
>
> A test of SPF can have exactly one out of a fixed set of 7 possible
> results. A "PermError" result is not a "Fail" result, it's a technical
> error.


AAAAAAAAAH.  I had not internalized that distinction.

Thanks, that clarifies it perfectly.


> BUT: to the actual point of the question, a lot of people (including me)
> do not use any particular SPF result to make an absolute decision on
> accepting or rejecting mail without checking other factors. An explicit
> SPF "Fail" is so rare these days for mail that gets past postscreen that
> it is more likely to be a mistake by the domain owner or an innocent
> transparent forward of mail than an attempted forgery. Instead, I use
> SPF Pass as a lightweight component of whitelisting, using
> SpamAssassin's whitelist_auth mechanism, and SPF Fail is just a strong
> but non-fatal SA rule, and SoftFail as a weaker rule. All of the other
> results are best handled as identical: useless.

Noted.  Thanks for the insight.



--
  Phil Stracchino
  Babylon Communications
  [hidden email]
  [hidden email]
  Landline: +1.603.293.8485
  Mobile:   +1.603.998.6958
Reply | Threaded
Open this post in threaded view
|

Re: SPF failure

@lbutlr
In reply to this post by Phil Stracchino
On 15 Jul 2019, at 13:44, Phil Stracchino <[hidden email]> wrote:

>
> On 7/15/19 3:29 PM, Bill Cole wrote:
>> On 15 Jul 2019, at 14:02, Phil Stracchino wrote:
>>> And here's the log of the last failure:
>>
>> [...]
>>> Jul 15 13:49:11 minbar policyd-spf[25139]: Starting
>>> Jul 15 13:49:11 minbar policyd-spf[25139]: Config: {'debugLevel': 3,
>>> 'HELO_reject': 'SPF_Not_Pass', 'Mail_From_reject': 'SPF_Not_Pass',
>>
>> AHA! Config!
>>
>>> 'PermError_reject': 'True',
>>
>> I would guess that means that you have *explicitly chosen* to reject
>> mail when hitting a "PermError."
>>
>> Don't do that.
>
> The question that comes to mind here is, if one should not reject mail
> based on SPF failures, then what is even the point of checking SPF?

An SPF fail result is not the same thing as “I failed to check SPF”



--
IT'S POTATO, NOT POTATOE Bart chalkboard Ep. 7F01