Using the SPF records to trigger a response from an internal DNS server. Clever way to extract otherwise closed data!
In response to the spread of cache poisoning attacks, many DNS resolvers have gone from being open to closed resolvers, meaning that they will only perform queries on behalf of hosts within a single organization or Internet Service Provider.
As a result, measuring the security of the DNS infrastructure has been made more difficult. Closed resolvers will not respond to researcher queries to determine if they utilize security measures like port randomization or transaction id randomization.
However, we can effectively turn a closed resolver into an open one by sending an email to a mail server (MTA) in the organization. This causes the MTA to make a query on the external researchers’ behalf, and we can log the security features of the DNS resolver using information gained by a nameserver and email server under our control.
Source: DNS Research