First some background, Sender Policy Framework or SPF is a framework that allows a domain to specify which mail servers mail for it may legitimately originate from. These are encoded in a DNS TXT record.
Systemd is a super daemon that replaces init xinetd, and also part of the dns service. It does so in a manner that is, like most Poettering projects, it kind of works some of the time. It fails with some TXT records breaking SPF.
Here is an example of retrieving a TXT record using nslookup with systemd-resolver:
set type=txt > wholefoods.com ;; Warning: Message parser reports malformed message packet. ;; Truncated, retrying in TCP mode. ;; Connection to 127.0.0.53#53(127.0.0.53) for wholefoods.com failed: connection refused.
To fix this problem, I have disabled the systemd resolver and gone back to using bind, the standard DNS resolver as a caching server. Now the results:
> set type=txt > wholefoods.com ;; Truncated, retrying in TCP mode. Server: 127.0.0.1 Address: 127.0.0.1#53 Non-authoritative answer: wholefoods.com text = "globalsign-domain-verification=MT3LmRzGYPgORWLlSBkPpAUpBDH9kl8xxYmB6FjtjY" wholefoods.com text = "MS=ms90241053" wholefoods.com text = "v=spf1 mx ip4:220.127.116.11 ip4:18.104.22.168 ip4:22.214.171.124 ip4:126.96.36.199 include:amazonses.com include:spf.protection.outlook.com include:_spf.q4press.com -all" wholefoods.com text = "GxIV1cqmXdB1Jl1Qd1LgJyBAd8k4QEnQL4LZpSZS+yu/noX6ra5XpJepHvcohGGfvfnrn9N3bukOSw71brafNA==" wholefoods.com text = "globalsign-domain-verification=pyR6ci6IB7uVAxLPZN5Z7_imdnvGJLhXCcmfs8v5RP" wholefoods.com text = "adobe-idp-site-verification=ffdbe896-53c0-4f83-ad01-0ec20ef0833d"
This should correct the problem of mail being rejected with an SPF failure even though it arrived from a legitimate SPF specified server.