Thanks to a couple of folks (Jef, Terry), it appears that my issues
are more around DNS than SPF. I have (well, had) three nameservers
in my resolv.conf - the first one is my own server (all on the same
machine) and the other two belong to my upstream ISP.
One a troublesome domain, say, aberystwyth.com, my named responds
to a TXT query quite quickly with SERVFAIL. The ISP's servers
don't - they hang/time out (I've filed a ticket).
Someone appears to be trying my server, not liking the answer, and
then trying the upstream servers. If I comment out the ISP servers
from resolv.conf, things work much better.
I don't consider this an ideal solution - I'd like clients on this
machine to be able to do lookups if my named dies - but it's workable
for now. I took a quick look at various bits of code to see if I
could see who is retrying, but it's not at all obvious...
Now, another issue - I got an SPF bounce that was surprising.
It would appear that mail forwarding across domains doesn't work
quite right with SPF - certainly not as hoped/expected:
Diagnostic-Code: SMTP; 550 5.7.1 <cak(_at_)dimebank(_dot_)com>... Please see
http://spf.pobox.com/why(_dot_)html?sender=cak(_at_)dimebank(_dot_)com&ip=66.80.9.250&receiver=moose.dimebank.com
This is on a piece of mail sent by me to pac(_at_)aratar(_dot_)com(_dot_)
Now, pac's mailbox on ulmo.aratar.com forwards to pac(_at_)dimebank(_dot_)com,
which
comes back to my server. Except that now it looks to spfmilter/libspf
as if ulmo.aratar.com is originating mail from cak(_at_)dimebank(_dot_)com,
which isn't allowed by the TXT record ... so it bounces.
That seems broken - I have to add every host that might forward mail
to my machine? And, it would seem, anyone out there who might have
a forwarding alias somewhere (say, from one big mail system to another)
would have to be entered in many TXT records to allow mail to flow?
Am I missing something obvious here?