sdgathman
commented
2 years ago I think this algorithm works:
if result is Pass and mechanism is "all":
if all previously evaluated mechanisms were + (but didn't match, obviously):
policy is "degenerate" and must alway return Pass
In addition to "v=spf1 +all", any sequence of positive matches ending in +all will always return Pass. Admins may wish to impose additional restrictive treatment on such worse than non-existent sender policies. @DanielAbrecht