It doesn't have to: just add the right hosts or even entire IP ranges to the string.

That doesn't ensure that mail forwarding is not broken - The issue with mail forwarding is based upon the source address of the machine sending the mail through to a SPF-aware mail server. If mail is forwarded from the original recipient address to a secondary SPF-aware mail server, the mail will be marked as illegitimate because the source address of the mail message, as seen by the receiving mail server, is that of the primary mail server. In order to prevent this, all mail servers must incorporate the Sender Rewriting Scheme (http://spf.pobox.com/srs.html) for forwarding mail when forwarding mail to SPF-aware mail servers.

I don't understand why adding the middle server to the list of hosts shouldn't work. I'm doing that now for one domain and as far as I can tell, it works. The domain's SPF record is like: v=spf1 a:primary-mx a:forwarding-mx -all (for those who don't know SPF: this means "allow messages from the IP of primary-mx and the forwarding-mx, but reject messages coming from anywhere else").

Juerd # { site => 'juerd.nl', plp_site => 'plp.juerd.nl', do_not_use => 'spamtrap' }

The domain's SPF record is like: v=spf1 a:primary-mx a:forwarding-mx -all

This configuration only allows mail to be sent for the domain from the specified hosts primary-mx and forwarding-mx - It does nothing for mail from other domains which may be forwarded through the host forwarding-mx. For forwarded mail to be correctly received, the SMTP envelope must be rewritten.

 

perl -le "print unpack'N', pack'B32', '00000000000000000000001011010111'"