Compared to SPF MAIL FROM checks, what are HELO checks good for?

Robert Siemer

4/25/23, 11:23 PM

I’m starting with SPF on my (email) domain. (No DKIM or DMARC yet.)

I see little usefulness in HELO identity checking in SPF and am thinking about setting the HELO identity to my domain (instead of the hostname) or the IP of the machine.

Apart from the following points, what is SPF HELO checking good for? What points stand against using IP or domain as identity in SMTP clients?

it is against (the spirit of) the standard (I’m not a big fan of following the standard just to follow the standard, especially if it does not break a MUST.)
bounces’ and notifications’ empty MAIL FROM will be checked against the HELO identity (It is acceptable for me if those notifications to outside systems don’t float with the SPF credibility of my IP/domain.)
to filter spammers who can not setup a DNS TXT record on any random single domain (the one they plan to use for HELO)

233

0 + 0

smtp

spf

Paul

4/26/23, 12:10 AM

What is the benefit to not follow the recommendations of the standard?

Robert Siemer

4/26/23, 12:44 AM

@Paul Using the MAIL FROM domain in the HELO simplifies the SPF setup to one TXT record, which I need anyway. Otherwise I need an extra entry for every server if they HELO with a unique name.

Paul

4/26/23, 1:49 AM

You could opt for a mail relay, not to say that works for everyone in every case.

Score:2

Server

Paul

4/26/23, 12:09 AM

It is only RECOMMENDED in RFC7208:

2.3. The "HELO" Identity

It is RECOMMENDED that SPF verifiers not only check the "MAIL FROM" identity but also separately check the "HELO" identity by applying the check_host() function (Section 4) to the "HELO" identity as the . Checking "HELO" promotes consistency of results and can reduce DNS resource usage. If a conclusive determination about the message can be made based on a check of "HELO", then the use of DNS resources to process the typically more complex "MAIL FROM" can be avoided. Additionally, since SPF records published for "HELO" identities refer to a single host, when available, they are a very reliable source of host authorization status. Checking "HELO" before "MAIL FROM" is the RECOMMENDED sequence if both are checked.

Note that requirements for the domain presented in the EHLO or HELO command are not always clear to the sending party, and SPF verifiers have to be prepared for the identity to be an IP address literal (see [RFC5321], Section 4.1.3) or simply be malformed. This SPF check can only be performed when the "HELO" string is a valid, multi-label domain name.

And you likely identified the documented problems as they relate to the standard, with an easily readable explanation from Explained from First Principles:

HELO identity

In order to prevent mail loops, no MAIL FROM address is provided in automatic responses. In such circumstances, the address postmaster@ followed by the domain from the HELO/EHLO command is used for SPF evaluation. The HELO identity can also be verified separately by evaluating the SPF record of the HELO/EHLO domain. Mailbox providers would have to configure SPF records for each of their outgoing mail servers. As far as I can tell, this is rarely done in practice. I found SPF records only for the outgoing mail servers of Outlook.com. Unless you run your mail servers yourself, this aspect of SPF is nothing to worry about.

However, there might be "undocumented" reasons, such as proof of work on the receiving server. As while you are, as you stated, free to do with your server as you desire, so are the admins of the receiving servers free to do with your messages as they desire, and how many spam messages have issues related to HELO, and maybe just send those not strictly following the standard to the spam folder, just to be safe.

So perhaps the HELO checks are good to show the admin on the other side you can follow the standards, even including their "spirit".

0 + 0

Robert Siemer

4/26/23, 1:46 AM

It is a riddle to me how HELO checks “promote consistency”, “reduce DNS resource usage”(!) or how a “conclusive determination” is even possible without MAIL FROM. That’s why I’m asking.—But thanks for the explained-from-first-principles pointer! Seems decent.

Paul

4/26/23, 1:47 AM

You can email him questions and he will respond (obviously, he really enjoys this).

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Compared to SPF MAIL FROM checks, what are HELO checks good for?

TH: เปรียบเทียบกับเช็ค SPF MAIL FROM เช็ค HELO มีประโยชน์อย่างไร?

RO: În comparație cu verificările SPF MAIL FROM, la ce sunt bune controalele HELO?

RU: Чем хороши чеки HELO по сравнению с чеками SPF MAIL FROM?

VI: So với séc SPF MAIL FROM, séc HELO tốt cho việc gì?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.