Quite often, our emails bounce back from our customers because of failed SPF test results. One might suspect our SPF record is broken, but actually the problem is caused by misconfigured ORF installations on the recipient’s end in all cases (our SPF record is fine):
Let’s assume the recipient has a primary MX with ORF installed, and the SPF test enabled. Also, there is a secondary MX hosted by the recipient’s ISP, but the secondary MX is not added to the Intermediate Host List of ORF. The Intermediate Host List (as the name implies) is a list of intermediate hosts through which emails are relayed to the primary MX (and ORF) from external sources. The sender server sends the email to the secondary MX, which relays it to the primary MX, finally, the recipient receives it. ORF should be aware of such hosts, otherwise it will think the secondary MX sent the email directly. This may cause spam emails allowed in, as the DNS Blacklist test will be uneffective (as ORF checks the secondary MX IP against them instead of the actual sender IP). Moreover, if you have the SPF test enabled, it will check the secondary MX IP against the SPF policy of the sender. Of course, the secondary MX is not authorized to send any emails in the name of the sender domain, so the (otherwise legitimate) email will be blacklisted.
To avoid this problem, you should add all external relaying hosts (such as secondary MXs) to your Intermediate Host List, so ORF can “look behind” your secondary MX at the On Arrival filtering point by checking the email headers. For more information, please read the Intermediate Host List and Header Analysis topics of the ORF Help.