I've recently noticed that newsletters from a small wordpress site are hitting USER_IN_DEF_SPF_WL.
The headers are of the form: Return-Path: <me=example....@b.wordpress.com> ... To: m...@example.com From: Some Amateur Website <donotre...@wordpress.com> and the use of the bounce handling subdomain b.wordpress.com is causing a match on: def_whitelist_auth *@*.wordpress.com Theses emails are legitimate, and I've not had much wordpress spam, but they are essentially freemail bulk mail.