Roger Moser wrote:
"v=spf1 -include:xyz.com +all" changes 'pass' into a 'fail'
So far it's clear.
and changes 'fail', 'softfail', 'neutral' amd 'none' into a
'pass'.
Actually it doesn't, the evaluation simply continues after the
"-include:x" reaching "+all", and that's of course a PASS.
But for "none" (inclusion of a domain without SPF record) the
final result is "none", because the evaluation is aborted,
If you have "v=spf1 -include:xyz.com ?all" and the evaluation
of xyz.com results in FAIL / SOFTFAIL / NEUTRAL, then it's no
match and no problem, therefore the final result is NEUTRAL
by the matching "?all" at the end.
My desire: "include" should be really an include, the result
should be the result of the included SPF record, and
"include" must not have a prefix. If that cannot be changed
anymore, the maybe we should add a "sub:domain-spec" command.
Yes, there's a problem with "include:". A modifier "include="
could be clearer, but unfortunately the modifiers are always
evaluated after all mechanisms (redirect= instead of -all etc.)
Because the position of modifiers is irrelevant, it had to be
a mechanism "include:" instead of "include=". And mechanisms
have a prefix (default +) and their own semantics, in the case
of "include:" it's "match PASS or catch error, else continue".
Obviously too late, but a better name for "include:" could have
been "match:". Or "pass:". Bye, Frank