My spf record has been set for the last 24 hours as follows
v=spf1 mx a:mailhost.zen.co.uk -all
I'm using google apps so my MX records all point to Google and I occasionally have to send via my ISP Zen. Sending and receiving works but when I test sending a spoof email (pretending to be from my domain) from a non authorised IP address Gmail just flags the message as follows.
Received-SPF: softfail (google.com: domain of transitioning
testmessage@mydomain.co.uk does not designate xxx.xxx.142.162 as permitted sender) client-ip=xxx.xxx.142.162;
Why is Gmail only treating this as a soft fail and not a hard as -all indicates?
Hah it gets worse!
Now gmail sees my spoof test from an unauthorised ip address as a hard fail but still delivers the message to me. Surely hard fail means reject or at least put in spam bin.
Received-SPF: fail (google.com: domain of
test@mydomain.co.uk does not designate xxx.xxx.xxx.xxx as permitted sender)
Loading Profile...
