Ran into an interesting issue this week with one of our clients attempting to receive mail, that we bounced for SPF permerror. The sending domain in question has a very large SPF record, broken into two include statements. It passes SPF validation with every tool available as it is under 10 DNS lookups and appears to have a valid syntax. However, the response is too large to query via UDP and TCP must be used.
So can SM query SPF records via TCP? The mail in question came from a valid SPF source, but it appears the SPF logging on temp and perm errors are pretty limited.