The Symantec Messaging Gateway (SMG) sender authentication Sender Policy Framework (SPF) check, which compares the sender IP and domain to an encoded list of IP addresses that are authorized to deliver messages for that domain, can return a false SPF Failure verdict when processing some validly constructed SPF records.
When processing SPF records which contain an address record (A or AAAA) that resolves to a large number of IP addresses ( greater than 128 ) the SPF module may return an incorrect authentication failure. The chance of this occuring increases as the number of IP addresses in the multivalued DNS A record increases.
Example SPF Record
Example multivalued A Record
allservers IN A 220.127.116.11
allservers IN A 18.104.22.168
allservers IN A 22.214.171.124
allservers IN A 126.96.36.199
allservers IN A 188.8.131.52
This is a known issue and will be addressed in a future release.
At the moment there is no workaround other than to limit SPF authentication to a limited set of domains that you know are not affected by the issue via the Spam->Sender Authentication page.