diff --git a/lib/auth.js b/lib/auth.js
index 2fc7116..b98ecaa 100644
--- a/lib/auth.js
+++ b/lib/auth.js
@@ -23,14 +23,25 @@ async function hookMail(plugin, connection, params) {
     let spfResult;
 
     try {
+        const isRemotePrivate = connection.remote.is_private;
+
         spfResult = await checkSpf({
             resolver: plugin.resolver,
-            ip: connection.remote.ip, // SMTP client IP
+            ip: isRemotePrivate ? undefined : connection.remote.ip, // SMTP client IP (undefined for if remote is private network)
             helo: connection.hello?.host, // EHLO/HELO hostname
             sender: txn.notes.sender, // MAIL FROM address
             mta: connection.local?.host, // MX hostname
             maxResolveCount: plugin.cfg?.auth?.dns?.maxLookups
         });
+
+        if (isRemotePrivate) {
+            // given undefined IP as client IP in case client is from remote IP, SPF will default to neutral, replace with softfail and custom message
+            spfResult.status.result = 'softfail';
+            spfResult.status.comment = 'cannot assess local addresses';
+            spfResult.header = `Received-SPF: softfail (cannot assess local addresses) client-ip=${connection.remote.ip};`;
+            spfResult.info = `spf=softfail (cannot assess local addresses)`;
+        }
+
         txn.notes.spfResult = spfResult;
     } catch (err) {
         txn.notes.spfResult = { error: err };