Just recently I noticed some odd behaviour for the HELO checking in
Mail::SPF::Query. I was getting SPF unknown result codes for a domain
that isn't publishing an SPF record.
What's happening can be illustrated on the 'example.com' domain:
# spfquery -ip 1.2.3.4 -sender "" -helo example.com
none
[...]
spfquery: domain of does not designate permitted sender hosts
This what one would expect. The domain has not published anything, so
the result is 'none'.
In reality, the domain in question was using a non-existant hostname in
their HELO. I know this is bad, but since there are too many systems
that fail to implement this correctly, I have relaxed rules and
basically only refuse a HELO if it is either an IP address or domain
under my control (it's amazing how many systems are dropped by this rule
alone).
# spfquery -ip 1.2.3.4 -sender "" -helo mail.example.com
unknown
[...]
spfquery: error in processing during lookup of mail.example.com
The problem actually lies in the NXDOMAIN that is returned for the TXT
lookup for 'mail.example.com'. Oops. Since this is a permanent error and
the above occurs relatively frequently, I currently see no other option
than to ignore this error. Honoring the processing errors with a
permerror would cause lots of messages to be rejected. I can't quite
figure out what the specification says about this.
Regards,
Arjen