This is not specifically for or about SmarterMail, since I am using sendmail as my gateways, just that I am wondering if any of my fellow SmarterMail admins are seeing this problem from users of this service.

There is a service called "DMARC Director" which apparently provides SPF records for customers to include in their SPF.  It uses an IP macro under what appears to be a unique tokenized subdomain to macrospf.director.tangent.com.  The parent service being director.tangent.com.

However, my mail system is rejecting these customer domains due to a failure of the DMARC Director (Tangent) DNS.  Bind throws this error:

DNS format error from [redacted]#53 resolving [redacted].macrospf.director.tangent.com/NS for 127.0.0.1#55922: Name macrospf.powerspf.com (SOA) not subdomain of zone macrospf.director.tangent.com -- invalid response

This is caused by an invalid SOA.  From what I can tell, the "DMARC Director" is a service of "PowerSPF" or vice-versa.  Whichever the case my be, they appear to be using wildcards in their DNS to alias macrospf.director.tangent.com to macrospf.com, which is a lazy way to make things work and is causing my SPF lookups to fail, thus deferring (4xx) those emails.

From all the work looking into this, it appears the proper SPF include for these affected domains is [token].powerspf.com.

Has anyone here using SmarterMail as a gateway or for direct delivery run into this service and its associated problem customers?  At this point I have had to rewrite part of the spf-milter to allow whitelisting domains from SPF checks -- which opens the possibility for spoofing (except these domains use ~all, anyway,) and is completely non-standard.