ES Message Log SPF
while checking if the latest changes in ES 10.0.11 supporting EDNS do make SPF any better, I came across some questions about the Message Log and the SPF states. I checked the Knowledge Base and the Admin Guide, but they seem not to be explained. Same goes for DKIM states, but they are kinda the same.
Below my sightings for the different states, maybe @David W can chime in here?
SPF Check Not Performed What does that mean? Why is it not performed? I can see this state in the Message Log for sender with and without SPF policies. No SPF record The name suggests there is no SPF Policy defined for the sender domain. This is valid for @t-online.de for example, but I have also Mails from @sentinelone.com in my Message Log marked as No SPF Record but they is one. They have a good amount of TXT records in their Zone, could this be an issue? SPF Pass All good, SPF policy complied. Interestingly I can see Mails from @sentinelone.com with that state as well, which make the above "No SPF record" even more weird. SPF Soft Failure I guess for Policy ~all, can see only SPAM related to that state in the Log Permanent Error I can see this state for sender with huge SPF records or maybe to many DNS lookup. Temporary Error Seen mostly for SPAM sender, but also for @sonicwall.com. Does this occur when the DNS resolver is not able to resolve temporary? SPF disabled I don't have any events for that, maybe when SPF is disabled in Anti-Spoof settings? SPF Hard Failure Mostly for SPAM mails, but also for amazon.com, which has a huge SPF record, could this cause this event? Neutral I guess for Policy ?all, can see only SPAM related to that state in the Log
The confusing part is that sometimes from the same sender domain and sender ip address I can get events with different states, which is not consistent. My DNS resolvers are pretty solid so I can't see an obvoius reason in here.