That could be. I did have both those options enabled. I guess "best
guess" turns "none" into "pass" or "neutral" depending on whether or
not the IP matches?
From my understanding (and I could be wrong):
Best guess should only turn:
some "none" into
"neutral", "pass", "fail", "softfail", "unknown", or "error"
(normally "pass", if defined as "a/24 mx/24 ptr").
Local policies (including "trusted forwarders") should only be inserted if the
final mechanism is "-all", and should only be inserted after the last
non-failure mechanism. If there is no non-failure mechanism, then it is not
inserted. So, a local policy should only turn:
some "fail" into
"neutral", "pass", "softfail", "unknown", or "error"
(normally "pass", for whitelisting).
If best guess is "a/24 mx/24 ptr", neither of these should turn a "none" into a
"neutral". However, I can imagine how certain implementations might mistakenly
do so.
Michael R. Brumm
(don't forget to save yourself a lot pointless ranting and killfile me)