Policyd-spf is rejecting mail with ‘?all’ SPF records

postfixspf

One of our clients is getting mail rejected from one of his customers. The sender's SPF record is:

v=spf1 +a +mx +ip4:12.34.56.78 ?all

The mail is not originating from 12.34.56.78, but AFAIU the '?all' means my mail server (postfix) should accept it. Is that correct?

Can I change my '/etc/postfix-policyd-spf-python/policyd-spf.conf' to make it accept these emails, and if so how?

Should I do this?

FWIW the message in py error log is:

Message rejected due to: access neither permitted nor denied.

Thanks in advance.

UPDATE:

My SPF policy was:

HELO_reject = SPF_Not_Pass
Mail_From_reject = Fail

The mail was being rejected at the HELO stage, which I've changed now to 'Fail'.

Best Answer

The mail is not originating from 12.34.56.78, but AFAIU the '?all' means my mail server (postfix) should accept it. Is that correct?

Yes, but not should, just intended

From here, you can see that Neutral means The SPF record specifies explicitly that nothing can be said about validity

But the default SPF policy from postfix is that:

HELO_reject = SPF_Not_Pass

means the postfix will reject HELO if SPF check not pass ( i.e Fail, Softfail, Hardfail...)

You can change postfix SPF policy to accept email even SPF check fail.

Related Topic