Milter-greylist

Hello group!

Can someone explain this behavour to me?

Consider the following RACL rules:

# Add a Received-SPF header to all messages

#

racl continue spf unknown addheader "Received-SPF: unknown (%Mj: domain of %f uses a mechanism not recognized by this client)",1

racl continue spf none addheader "Received-SPF: none (%Mj: domain of %f does not designate permitted sender hosts)",1

racl continue spf error addheader "Received-SPF: error (%Mj: error in processing during lookup of %f)",1

racl continue spf fail addheader "Received-SPF: fail (%Mj: domain of %f does not designate %i as permitted sender)",1

racl continue spf pass addheader "Received-SPF: pass (%Mj: domain of %f designates %i as permitted sender) client_ip=%i;",1

racl continue spf neutral addheader "Received-SPF: neutral (%Mj: %i is neither permitted nor denied by domain of %f)",1

racl continue spf softfail addheader "Received-SPF: softfail (%Mj: domain of transitioning %f does not designate %i as permitted sender)",1

And this DACL rule:

# Add Authentication-Results header

#

dacl continue addheader "Authentication-Results: %QA",1

With the above rules, I sometimes see headers with "Received-SPF: pass" and "Authentication-Results: mx.example.com; spf=softfail" in the same message.

How is this possible? My only conclusion is that checked domains has "~al"l in their spf records. But why different result from spf check and the %QA format string?

Any ideas?

Markus