Why does DNSstuff fail but SPF softfail?

Question

Why does this online tool fail the SPF check

http://www.dnsstuff.com/tools#spf|type=ipv4&&value=155.133.82.39&&[email protected]

But an installed Perl SPF check softfails the SPF check?

May 9 00:48:49 ip-172-31-15-65 postfix/policy-spf[5905]: Policy action=PREPEND Received-SPF: softfail (gmail.com ... _spf.google.com: Sender is not authorized by default to use '[email protected]' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matched)) receiver=ip-172-31-15-99.us-west-2.compute.internal; identity=mailfrom; envelope-from="[email protected]"; helo=gmail.com; client-ip=155.133.82.39

This is the SPF record for gmail: http://mxtoolbox.com/SuperTool.aspx?action=spf%3agmail.com&run=toolpage#

Answer 1

Because the DNSStuff tool doesn't distinguish between soft (~all) and hard (-all) fails; try http://www.dnsstuff.com/tools#spf|type=ipv4&&value=155.133.82.39&&[email protected] , bearing in mind that teaparty.net's SPF record terminates -all, and note that it still just says "X Fail" by way of result.

Your installed perl is making that distinction; good for it.

To look a little harder, I tried DNSStuff with a non-existent domain, and also got "X Fail"; I suspect it would be the same if I tried with a domain that had a syntactically-invalid SPF record. What DNSStuff's toolbox seems to be evaluating is "Is there a good reason to accept this email?". The problem is, as I have tried to explain to many people who prefer ~all to -all, is that nobody uses SPF to determine what to accept. What we all care about is "Is there a good reason to discard this email?", because unless you want to lose email randomly, you need to discard out of hand only email that the (purported) sender has told you can be discarded, and accept everything else for further processing.

In my opinion, DNSStuff's toolbox is not a good one, and you should ignore its results.