christoph ender's

blog

monday the 11th of march, 2024

spf records for helo/ehlo

While running various tests for mail servers, I stumbled upon SpamAssassin's SPF_HELO_NONE warning. It incurs a negative score of 0.001, and the short description complains that “HELO does not publish an SPF Record”. And indeed, Section 2.1 of RFC 4408 states:

It is RECOMMENDED that SPF clients not only check the "MAIL FROM" identity, but also separately check the "HELO" identity by applying the check_host() function (Section 4) to the "HELO" identity as the <sender>.

So in addition to the “normal” SPF TXT-record which is published for the MAIL FROM-domain, there should be another TXT-record for the individual HELO-hostname which actually delivers the mail. openspf.org provides some more details: if mail from john@example.com is delivered from host mx-01.example.com, the following entries would represent a working configuration:

example.com.        IN  TXT      "v=spf1 mx -all"
example.com.        IN  MX   10  mx-01.it-sys-ce.de.
mx-01.example.com.  IN  TXT      "v=spf1 a -all"