>From the RFC https://tools.ietf.org/html/rfc7208

'The "include" mechanism makes it possible for one domain to designate
�� ��multiple administratively independent domains.�� For example, a vanity
�� ��domain "example.net" might send mail using the servers of
�� ��administratively independent domains example.com and example.org.

�� ��Example.net could say

�� �� �� IN TXT "v=spf1 include:example.com include:example.org -all"

�� ��This would direct check_host() to, in effect, check the records of
�� ��example.com and example.org for a "pass" result.�� Only if the host
�� ��were not permitted for either of those domains would the result be
�� ��"fail".

�� ��Whether this mechanism matches, does not match, or returns an
�� ��exception depends on the result of the recursive evaluation of
�� ��check_host():'



So it's possible that the 'hard fail' in the aspmx.sailthru.com SPF is causing the bounce

Cheers
Jodi

----- Original Message -----
From: "Jean-Francois Pirus" <jfp@clearfield.com>
To: "Paul Willard" <paul+nznog@mgmt.loudas.com>, nznog@list.waikato.ac.nz
Sent: Tuesday, February 21, 2017 3:02:15 PM
Subject: Re: [nznog] Xtra and SPF

Here's an example of an Xtra bounces which looks like soft fail but
which includes a hard fail.

So I'm assuming that a hard fail anywhere takes precedence, does anybody
know the rules, I could not find any references.

sailthru.com.�� �� �� �� �� ��10800�� ��IN�� �� �� TXT�� �� ��"v=spf1 include:aspmx.sailthru.com
include:_spf.google.com�� include:_netblocks.zdsys.com ~all"

aspmx.sailthru.com.�� �� ��900�� �� ��IN�� �� �� TXT�� �� ��"v=spf1 ip4:64.34.47.128/27
ip4:64.34.57.192/26 ip4:65.39.215.0/24 ip4:192.64.236.0/24
ip4:192.64.237.0/24 ip4:173.228.155.0/24 ip4:192.64.238.0/24
ip4:204.153.121.0/24 -all"

_netblocks.zdsys.com.�� ��54000�� ��IN�� �� �� TXT�� �� ��"v=spf1 ip4:192.161.144.0/20
ip4:185.12.80.0/22 ip4:96.46.150.192/27 ip4:174.137.46.0/24
ip4:188.172.128.0/20 ip4:216.198.0.0/18 ~all"

_spf.google.com.�� �� �� �� 55�� �� �� IN�� �� �� TXT�� �� ��"v=spf1 include:_netblocks.google.com
include:_netblocks2.google.com include:_netblocks3.google.com ~all"



On 21/02/17 14:17, Paul Willard wrote:
> I'm getting mail bouncing with ~all spf record
> soft fail .. and xtra (actually smx) are rejecting.
>
> Could be that they don't like me :)
>
> On Wed, Feb 8, 2017 at 3:57 PM, Brian E Carpenter
> <brian.e.carpenter@gmail.com <mailto:brian.e.carpenter@gmail.com>> wrote:
>
>�� �� ��On 08/02/2017 15:34, Mark Foster wrote:
>�� �� ��...
>�� �� ��> Someone mentioned mailing lists; decent ones rewrite the envelope and
>�� �� ��> don't break SPF.
>
>�� �� ��Or rather, are not broken by SPF. Unfortunately, the same is not true
>�� �� ��of DMARC. There's still no good solution for lists or forwarders that
>�� �� ��are broken by DMARC. Glen, I fear that DMARC problems are in your
>�� �� ��future.
>
>�� �� �� ��Brian
>
>�� �� ��_______________________________________________
>�� �� ��NZNOG mailing list
>�� �� ��NZNOG@list.waikato.ac.nz <mailto:NZNOG@list.waikato.ac.nz>
>�� �� ��https://list.waikato.ac.nz/mailman/listinfo/nznog
>�� �� ��<https://list.waikato.ac.nz/mailman/listinfo/nznog>
>
>
>
>
> _______________________________________________
> NZNOG mailing list
> NZNOG@list.waikato.ac.nz
> https://list.waikato.ac.nz/mailman/listinfo/nznog
>

--
Jean-Francois Pirus | Technical Manager
francois@clearfield.com | Mob +64 21 640 779 | DDI +64 9 282 3401

Clearfield Software Ltd | Ph +64 9 358 2081 | www.clearfield.com
_______________________________________________
NZNOG mailing list
NZNOG@list.waikato.ac.nz
https://list.waikato.ac.nz/mailman/listinfo/nznog
_______________________________________________
NZNOG mailing list
NZNOG@list.waikato.ac.nz
https://list.waikato.ac.nz/mailman/listinfo/nznog