FWIW we've told Nationwide about this. They are including
"include:messagelabs.com" which should be spf.messagelabs.com. PEBCAK.
John Hardin wrote:
There's a thread that's currently on the users list about Nationwide
Bank in UK publishing an SPF record that includes messagelabs, and
messagelabs' SPF record says "+all". This makes it a little difficult
to use SPF to reject phishing.
In light of that, do we want to revisit
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5684 and
reconsider it for 3.3.x or 3.4.x?
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________