From the RFC https://tools.ietf.org/html/rfc7208
'The "include" mechanism makes it possible for one domain to designate multiple administratively independent domains. For example, a vanity domain "example.net" might send mail using the servers of administratively independent domains example.com and example.org. Example.net could say IN TXT "v=spf1 include:example.com include:example.org -all" This would direct check_host() to, in effect, check the records of example.com and example.org for a "pass" result. Only if the host were not permitted for either of those domains would the result be "fail". Whether this mechanism matches, does not match, or returns an exception depends on the result of the recursive evaluation of check_host():' So it's possible that the 'hard fail' in the aspmx.sailthru.com SPF is causing the bounce Cheers Jodi ----- Original Message ----- From: "Jean-Francois Pirus" <jfp(a)clearfield.com> To: "Paul Willard" <paul+nznog(a)mgmt.loudas.com>, nznog(a)list.waikato.ac.nz Sent: Tuesday, February 21, 2017 3:02:15 PM Subject: Re: [nznog] Xtra and SPF Here's an example of an Xtra bounces which looks like soft fail but which includes a hard fail. So I'm assuming that a hard fail anywhere takes precedence, does anybody know the rules, I could not find any references. sailthru.com. 10800 IN TXT "v=spf1 include:aspmx.sailthru.com include:_spf.google.com include:_netblocks.zdsys.com ~all" aspmx.sailthru.com. 900 IN TXT "v=spf1 ip4:64.34.47.128/27 ip4:64.34.57.192/26 ip4:65.39.215.0/24 ip4:192.64.236.0/24 ip4:192.64.237.0/24 ip4:173.228.155.0/24 ip4:192.64.238.0/24 ip4:204.153.121.0/24 -all" _netblocks.zdsys.com. 54000 IN TXT "v=spf1 ip4:192.161.144.0/20 ip4:185.12.80.0/22 ip4:96.46.150.192/27 ip4:174.137.46.0/24 ip4:188.172.128.0/20 ip4:216.198.0.0/18 ~all" _spf.google.com. 55 IN TXT "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all" On 21/02/17 14:17, Paul Willard wrote:
I'm getting mail bouncing with ~all spf record soft fail .. and xtra (actually smx) are rejecting.
Could be that they don't like me :)
On Wed, Feb 8, 2017 at 3:57 PM, Brian E Carpenter <brian.e.carpenter(a)gmail.com <mailto:brian.e.carpenter(a)gmail.com>> wrote:
On 08/02/2017 15:34, Mark Foster wrote: ... > Someone mentioned mailing lists; decent ones rewrite the envelope and > don't break SPF.
Or rather, are not broken by SPF. Unfortunately, the same is not true of DMARC. There's still no good solution for lists or forwarders that are broken by DMARC. Glen, I fear that DMARC problems are in your future.
Brian
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz <mailto:NZNOG(a)list.waikato.ac.nz> https://list.waikato.ac.nz/mailman/listinfo/nznog <https://list.waikato.ac.nz/mailman/listinfo/nznog>
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz https://list.waikato.ac.nz/mailman/listinfo/nznog
-- Jean-Francois Pirus | Technical Manager francois(a)clearfield.com | Mob +64 21 640 779 | DDI +64 9 282 3401 Clearfield Software Ltd | Ph +64 9 358 2081 | www.clearfield.com _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz https://list.waikato.ac.nz/mailman/listinfo/nznog