Home / server / Questions / 1088221
Accepted
Robert Siemer
Asked: 2021-12-26 15:23:34 +0800 CST

Compared to SPF MAIL FROM checks, what are HELO checks good for? [duplicate]

  • 772

I’m starting with SPF on my (email) domain. (No DKIM or DMARC yet.)

I see little usefulness in HELO identity checking in SPF and am thinking about setting the HELO identity to my domain (instead of the hostname) or the IP of the machine.

Apart from the following points, what is SPF HELO checking good for? What points stand against using IP or domain as identity in SMTP clients?

  • it is against (the spirit of) the standard (I’m not a big fan of following the standard just to follow the standard, especially if it does not break a MUST.)
  • bounces’ and notifications’ empty MAIL FROM will be checked against the HELO identity (It is acceptable for me if those notifications to outside systems don’t float with the SPF credibility of my IP/domain.)
  • to filter spammers who can not setup a DNS TXT record on any random single domain (the one they plan to use for HELO)
smtp

0 Answers

  1. Best Answer

    It is only RECOMMENDED in RFC7208:

    2.3. The "HELO" Identity

    It is RECOMMENDED that SPF verifiers not only check the "MAIL FROM" identity but also separately check the "HELO" identity by applying the check_host() function (Section 4) to the "HELO" identity as the . Checking "HELO" promotes consistency of results and can reduce DNS resource usage. If a conclusive determination about the message can be made based on a check of "HELO", then the use of DNS resources to process the typically more complex "MAIL FROM" can be avoided. Additionally, since SPF records published for "HELO" identities refer to a single host, when available, they are a very reliable source of host authorization status. Checking "HELO" before "MAIL FROM" is the RECOMMENDED sequence if both are checked.

    Note that requirements for the domain presented in the EHLO or HELO command are not always clear to the sending party, and SPF verifiers have to be prepared for the identity to be an IP address literal (see [RFC5321], Section 4.1.3) or simply be malformed. This SPF check can only be performed when the "HELO" string is a valid, multi-label domain name.

    And you likely identified the documented problems as they relate to the standard, with an easily readable explanation from Explained from First Principles:

    HELO identity

    In order to prevent mail loops, no MAIL FROM address is provided in automatic responses. In such circumstances, the address postmaster@ followed by the domain from the HELO/EHLO command is used for SPF evaluation. The HELO identity can also be verified separately by evaluating the SPF record of the HELO/EHLO domain. Mailbox providers would have to configure SPF records for each of their outgoing mail servers. As far as I can tell, this is rarely done in practice. I found SPF records only for the outgoing mail servers of Outlook.com. Unless you run your mail servers yourself, this aspect of SPF is nothing to worry about.

    However, there might be "undocumented" reasons, such as proof of work on the receiving server. As while you are, as you stated, free to do with your server as you desire, so are the admins of the receiving servers free to do with your messages as they desire, and how many spam messages have issues related to HELO, and maybe just send those not strictly following the standard to the spam folder, just to be safe.

    So perhaps the HELO checks are good to show the admin on the other side you can follow the standards, even including their "spirit".

    • 2