christoph ender's


monday the 11th of march, 2024

spf records for helo/ehlo

While running various tests for mail servers, I stumbled upon SpamAssassin's SPF_HELO_NONE warning. It incurs a negative score of 0.001, and the short description complains that “HELO does not publish an SPF Record”.

And indeed, Section 2.1 of RFC 4408 states:

It is RECOMMENDED that SPF clients not only check the "MAIL FROM" identity, but also separately check the "HELO" identity by applying the check_host() function (Section 4) to the "HELO" identity as the <sender>.

So in addition to the “normal” SPF TXT-record which is published for the MAIL FROM-domain, there should be another TXT-record for the individual HELO-hostname which actually delivers the mail. provides some more details: if mail from is delivered from host, the following entries would represent a working configuration:        IN  TXT      "v=spf1 mx -all"        IN  MX   10  IN  TXT      "v=spf1 a -all"