I have troubles understanding the default HELO checking policy of policyd-spf. RFC 4408 states in section 2.5.2, that
A "Neutral" result MUST be treated exactly like the "None" result
But the man page of policyd-spf defines SPF_Not_pass
as follows:
SPF_Not_Pass (default) - Reject if result not Pass, None, or Temperror (alternatively put, reject if the SPF result is Fail, Softfail, Neutral, PermError). Unlike Mail From checking, there are no standard e-mail use cases where a HELO check should not Pass if there is an SPF record for the HELO name (transparent forwarding, for example, is not an issue). Technically this option is not fully RFC 4408 compliant since the SPF check for the Mail From identity is mandatory and Neutral and None results must be treated the same. HELO/EHLO is known first in the SMTP dialogue and there is no practical reason to waste resources on Mail From checks if the HELO check will already cause the message to be rejected. These deviations should not cause interoperability problems when used for HELO.
This description explains why it is ok to omit the SPF check of the Mail From identity but does not answer the question: Why is Neutral
rejected?