Just a quick update. I'm doing some logging. To me it looks like DNS
replies may not come fast enough. For some reason, with calls from spamc
from procmail they aren't timing out and moving to the next hop (thereby
marking it as the sender and causing the SPF failures) like happens in
spamass-milter.
It is possible that an IPV6 reply from the first address is also an
issue, but I'm not certain of this. It does appear that it's IPV6
addresses that cause the most issues from a brief perusal. It could also
be that only the bigger e-mail senders are using IPV6 at this point and
when another company uses something like outlook.com as its final relay,
then checking through all the possible includes in that company's SPF
records for which outlook.com is one just takes too long to finish
processing the first time but is then available by the time
procmail/spamc is hitting it.
As long as DNS resolution occurs, I haven't seen any issues with
internal/trusted settings.
I've added dns to received-header for the logging and will post again if
I get something definitive.
