In <87zmry2rdw(_dot_)fsf(_at_)deneb(_dot_)enyo(_dot_)de> Florian Weimer
<fw(_at_)deneb(_dot_)enyo(_dot_)de> writes:
Okay, what probably happened is that check_host() returned Neutral for
earthlink.net because they was no record, and "include:earthlink.net"
didn't match as a result.
check_host() should return PermError when there is an include: to a
domain that doesn't have an SPF record. See section 5.2.
I think this is a bug in the specification. An "include" referencing
a domain without any SPF record should result in TempError, not
Neutral.
TempError is for things that will generally fix themselves without
manual intervention. I don't think TempError is appropriate.
This reduces the risk that legitimate mail is bounced
because the DNS is temporarily out of sync after a DNS update which
involves multiple zones.
The draft-mengwong-spf-0[01] drafts said that PermError (then called
"unknown") "indicates incomplete processing: an MTA MUST proceed as if
a domain did not publish SPF data."
There were lots of objections to continuing this policy with many
people wanting to mandate rejection on PermError.
As a compromise, the current draft doesn't say anything about what you
should do when you get a PermError.
-wayne