Issue SPF check fails (Reason=Mechanism) due to combination of local rule and redirect

[MRW]

Server operating system version

CentOS7, AlmaLinux8, Almalinux9, CloudLinux7, Cloudlinux8

Plesk version and microupdate number

18.0.71.1

Question and potential issue about email delivery and local spf rules.

Hi everyone,
We are facing a problem with the SPF check in Plesk that is affecting several of our customers.

Our Setup:
We use the spamexperts anti-spam cloud to filter incoming emails. To ensure these emails pass the SPF check, we have added include:spf.antispamcloud.com to the "Local SPF Rules" in Plesk.

The Problem:
Despite this local rule, emails from certain senders are being rejected by the server. The error message is reason=mechanism

Our Hypothesis and Question:
We have noticed that the domains of the affected senders use a redirect= parameter in their own SPF record (e.g., v=spf1 redirect=_spf.domain.tld).

Our suspicion is that when Plesk performs the SPF check, it merges the local rule (include:spf.antispamcloud.com) with the sending domain's SPF record. According to the RFC, the redirect= mechanism must be interpreted last and on its own.
Adding the include: from the local Plesk configuration would therefore result in a syntactically invalid SPF record.

Our core question is this:Is our assumption correct that Plesk combines the local SPF rule with the sending domain's SPF record, and that this leads to an invalid total record (and thus the rejection with reason=mechanism) when a redirect= is present?

Thanks for your help!

 

[AYamshanov]

Thank you for the feedback, MRW.
I can confirm that we are already aware of the issue and investigating it.