Policyd-spf: Exact Conditions to cause these reject messages?

Question

I can not find any documentation on what each reject messages means. I assume ...domain owner discourages use of this host happens when helo.spammer.com sends an email with user@example.com in the from field and example.com has an SPF record that does not include spammer.com

Then what conditions generate ...SPF fail - not authorized? Wouldn't an not authorized sender be the same condition as the first example?

While im at it, anyone know which conditions return ...access neither permitted nor denied

If it matters, i have the config as such

HELO_reject = SPF_Not_Pass
Mail_From_reject = SPF_Not_Pass

And if its helpful, a real case example:

SMTPD: connect from ns1.monofe.com[185.21.207.22]
SMTPD: NOQUEUE: reject: RCPT from ns1.monofe.com[185.21.207.22]: 550 5.7.23 <user@redacted.com>: Recipient address rejected: SPF rejected because SPF fail - not authorized; from=<karen@interfacefm.com> to=<user@redacted.com> proto=ESMTP helo=<ns1.monofe.com>
SMTPD: disconnect from ns1.monofe.com[185.21.207.22] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 quit=1 commands=5/7

and

SMTPD: connect from mx47246.payrollloan.info[50.30.47.246]
SMTPD: NOQUEUE: reject: RCPT from mx47246.payrollloan.info[50.30.47.246]: 550 5.7.23 <user@redacted.com>: Recipient address rejected: SPF rejected because access neither permitted nor denied; from=<bounce-user=redacted.com-user=redacted.com@n95nioshmask.us> to=<user@redacted.com> proto=ESMTP helo=<mx47246.payrollloan.info>
SMTPD: disconnect from mx47246.payrollloan.info[50.30.47.246] ehlo=2 starttls=1 mail=1 rcpt=0/1 quit=1 commands=5/6

score 1 · Accepted Answer · edited Oct 07 '21 at 08:14

The result of an SPF policy evaluation is not a simple pass/fail; there are five distinct non-error results, plus temperror and permerror. The different results you're seeing are the software translating these distinct results into human-friendly explanations.

Your first example is for interfacefm.com; if we review its SPF record it currently looks like this:

"v=spf1 +a +a:ns1.c57578.sgvps.net include:_spf.mailspamprotection.com -all"

The -all at the end will return a fail result if a host does not match another mechanism in the record.

Your second example is n95nioshmask.us, and the record is:

"v=spf1 mx a ptr include:spf.improvmx.com ?all"

?all specifies a neutral result.

The full list of qualifiers is:

      "+" pass
      "-" fail
      "~" softfail
      "?" neutral

You didn't provide an example for "discourages use of this host", but it's probably a domain with softfail as the default result.

Policyd-spf: Exact Conditions to cause these reject messages?

1 Answers1