If no matching records are returned for the <domain;>, the SPF client
MUST find the Zone Cut as defined in [RFC2181] section 6 and repeat
the above steps. The <domain>'s zone origin is then searched for SPF
records. If an SPF record is found at the zone origin, the <domain>
is set to the zone origin as if a "redirect" modifier was executed.
I no longer find this a good idea without having a "match_subdomains=yes"
modifier as specified in spf-draft-200406. The reason is following example:
hostpoint.ch. TXT "v=spf1 mx ?all"
hostpoint.ch. MX 1 mail.hostpoint.ch.
mail.hostpoint.ch. A 217.26.48.126
server16.hostpoint.ch. A 217.26.52.26
MAIL FROM:<xyz(_at_)server16(_dot_)hostpoint(_dot_)ch>
server16.hostpoint.ch has no SPF record and the SPF record at hostpoint.ch
(zone cut) does not authorize 217.26.52.26 (=server16.hostpoint.ch) to send
mail.
Roger