Why does my postfix reject mail with a spf hardfail even though spf DNs record is set to softfail?

Question

The log output I get is the following:

"Jul  7 11:23:46 mail policyd-spf[19779]: 550 5.7.23 Message rejected
due to: SPF fail - not authorized. Please see 
http://www.openspf.net/Why?s=mfrom;id=xyz@gmx.de;ip=<IP>;r=<UNKNOWN>
Jul  7 11:23:46 mail postfix/smtpd[19773]: NOQUEUE: reject: RCPT from
remotemailserver.de[IP]: 550 5.7.23 <mail@mymailserver.de>:
Recipient address rejected: Message rejected due to: SPF fail - not
authorized. Please see http://www.openspf.net/Why?s=mfrom;id=xyz@gmx.de
;ip=<IP>;r=<UNKNOWN>;; from=<xyz@gmx.de> to=<mail@mymailserver.de>
proto=ESMTP helo=<remotemailserver.de>"

My policyd-spf.conf looks as follows:

#  For a fully commented sample config file see policyd-spf.conf.commented

debugLevel = 1 
TestOnly = 1

HELO_reject = Fail
Mail_From_reject = Fail

PermError_reject = False
TempError_Defer = False

skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1

The spf DNS record for remotemailserver.de looks as follows:

subdomain.remotemailserver.de.   508     IN      TXT     "v=spf1 include:_spf.remotemailserver.de ~all"

I am by far no postfix expert, but according to https://manpages.debian.org/testing/postfix-policyd-spf-python/policyd-spf.conf.5.en.html setting HELO_reject and Mail_From_reject to Fail should not hardfail an incoming mail on ~all spf records.

Where am I wrong?

Answer 1

This was actually a misconception on my side. I assumed that the sfp entry of remotemailserver.de is checked. But it is the mail server of the FROM field which is checked.

In this case the sfp records of gmx.net is a -all record which means I get a hardfail (correctly).