if there is no spf record, we do not penalize by default. you can configure it to penalize for that if you want, but it would cause a lot of problems. i cant remember the rfc number(i can look if you really need me to), but the rfc states a max of 10 dns queries in an spf check before it is considered a DoS attack. MEG abides by this RFC.
That's exactly what I need to know. Thank you!