I just got my first message rejection due to a NEUTRAL SPF result (I've
changed the addresses):
Hi. This is the qmail-send program at relay.host.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<localpart(_at_)somecompany(_dot_)com>:
207.76.105.21 failed after I sent the message.
Remote host said: neutral
Getting to an SPF PASS is almost impossible for a shared MTA user (e.g.
vanity domain). If this becomes commonplace, my only recourse will be to
pull my SPF records down. The SPF Classic spec says:
Neutral (?): The SPF client MUST proceed as if a domain did not
publish SPF data. This result occurs if the domain explicitly
specifies a "?" value, or if processing "falls off the end" of
the SPF record.
http://spf.pobox.com/spf-draft-200406.txt
Rejecting on a NEUTRAL result is a violation of the spec and it's going to
hurt SPF as a whole. If someone has published a record the produces a
NEUTRAL result, then they probably have a reason for it. It may be that
they are trying to avoid falsely authorizing e-mails they didn't send (my
reason) or it may be that they are trying to spam you and piggyback on
someone else's ?all record. There's no way you can know without looking at
the message contents (which is what you would do if there was no SPF).
Please, just follow the spec. Many of us depend on it.
Scott Kitterman