When using a tool like https://dkimvalidator.com/ to verify configuration of DKIM, SPF, DMARC, etc. for sending mail from a web server, I get a warning like this:
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
It seems like a bad signal even though the score isn't really affected. How do I get rid of it?
Publish SPF records for HELO/EHLO hostnames
The Sender Policy Framework does not only protect
MAIL FROM, but alsoHELO. Whereas theMAIL FROMidentity MUST be verified (RFC 7208, 2.4), the verification of theHELOidentity is only RECOMMENDED (RFC 7208, 2.3). This is the reason Spamassassin (rules/25_spf.cf), where this scoring comes from, only gives0.0by default.In your own answer, you suggest changing the HELO hostname to match the domain, but that is not the only solution – and not the best solution in all cases. Some receiving systems gives negative scoring if the hostname in the
HELOcommand does not match with the reverse DNSPTRrecord (SMTP Reverse DNS Mismatch). This is why you might want to add an SPF record for yourHELOhostname, instead. (SPF FAQ / Common mistakes / Publish SPF records for HELO/EHLO names used by your mail servers.)Publish SPF records for every hostname
Furthermore, every hostname with an
Arecord that is not intended for sending email should be protected with SPF, too. Otherwise, anyone can use them as an envelope sender. (SPF FAQ / Common mistakes / Publish null SPF records for your domains that don't send mail; related answer.)It was as simple as adding the below setting in
/etc/postfix/main.cf:The message changes to this: