SPF on HELO/EHLO hostname

Hello all,

I have an SPF related question that has arisen after we started receiving DMARC reports for our domains. Some of the messages that Google is reporting on have an SPF domain (as seen in dmarcian) that corresponds to our domain name (and that is also name of our primary MX (e.g. croatia.test.hr)), and some of the messages have an SPF domain that is part of our HELO/EHLO string (and name of our secondary MX (e.g. mx1.croatia.test.hr).

Messages that have an SPF domain of e.g. mx1.croatia.test.hr have SPF set to none (as we do not publish SPF for what is essentially a hostname), and because of that they also fail SPF DMARC alignment check.

My question is why is Google not checking domain part of hostname defined in that HELO/EHLO string (e.g. croatia.test.hr) and is instead checking SPF of domain that does not exist (e.g. mx1.croatia.test.hr) and what can we do about it?

Best regards, MSMS

Hi MSMS,

Google as last I tested will use the complete EHLO/HELO identity issued by the sending server during the SMTP transaction as defined in RFC7208 section 2.4 ( https://tools.ietf.org/html/rfc7208#section-2.4). This behaviour cannot be changed. This does mean that in those instance, best practice would be to publish an SPF record for the domain name associated with the mail server when possible and where alignment is achieved.

I hope this helps.

AM

Thanks AM!

I’ve also received information from Dmarcian support, and in the end implemented SPF TXT entries (with value v=spf1 a -all) for hostnames used in HELO/EHLO commands. I’ve always thought that SPF TXT entries can only be created for domains, and not also for FQDN-s (hostnames) of mail gateways.

Best regards, Marinko