Is Google applying SPF checks to EHLO values for stricter email authentication?

Key findings

• SPF specification: RFC 7208, the SPF specification, recommends that SPF verifiers check both the MAIL FROM identity and the HELO (or EHLO) identity, with HELO checked first if both are considered.
• Primary focus: Despite the recommendation, many email service providers (ESPs) and mail receivers historically focus primarily on the MAIL FROM domain for SPF validation, as it's the identifier used for DMARC alignment and bounce handling.
• Google's approach: Google is known for its complex and evolving spam filtering algorithms, which consider a multitude of signals beyond just SPF, DKIM, and DMARC. While no explicit statement confirms stricter EHLO checks, general tightening of authentication requirements is an observed trend (see Google's recent bulk sender guidelines).
• FcrDNS importance: FcrDNS (Forward-confirmed Reverse DNS) validation, where the IP address's PTR record resolves to a hostname that then resolves back to the original IP, is a strong indicator of legitimacy for receiving mail servers, including Google. Issues with FcrDNS can negatively impact deliverability.

Key considerations

• Holistic approach: Focus on a comprehensive authentication strategy, including valid SPF records for both MAIL FROM and EHLO domains, proper DKIM signing, and DMARC implementation. This multifaceted approach is crucial for modern email deliverability.
• PTR records: Ensure your sending IP addresses have correctly configured PTR records that resolve to a valid hostname, which in turn resolves back to the IP. This is a fundamental trust signal for many mail servers (see best practices for HELO and rDNS).
• Monitor reports: Regularly review your DMARC aggregate reports to understand how receivers, including Google, are validating your SPF and DKIM. The spf_scope field in these reports can indicate whether the HELO or MAIL FROM identity was checked.
• Domain alignment: Focus on achieving strong DMARC alignment for both SPF and DKIM. This means the domain in your From: header (RFC5322.From) matches the SPF-authenticated domain (RFC5321.MailFrom) and the DKIM-signed domain. Learn more about SPF alignment for Google Postmaster Tools.

Key opinions

• Uncertainty on EHLO priority: Many marketers are unsure how strictly Google prioritizes SPF checks on the EHLO domain versus the MAIL FROM domain, often defaulting to optimizing for MAIL FROM due to its DMARC relevance.
• Focus on DMARC alignment: The primary concern for marketers is achieving strong DMARC alignment, which relies on SPF and DKIM passing for the organizational domain. This tends to overshadow granular concerns about EHLO specific checks if MAIL FROM is robust.
• Google's tightening standards: There's a general understanding that Google is continuously tightening its authentication requirements, prompting marketers to ensure all possible technical configurations are flawless.
• PTR record importance: Correct PTR records and FcrDNS are consistently cited as foundational elements that Google (and other ISPs) highly value, more so than specific EHLO SPF checks in isolation.

Key considerations

• Proactive problem-solving: If deliverability issues with Google arise, marketers should systematically troubleshoot all authentication aspects, including SPF (both MAIL FROM and EHLO if applicable), DKIM, DMARC, and FcrDNS.
• Testing email setup: Implement dedicated setups to test email deliverability and authentication validity to various mailbox providers. This helps in identifying specific configuration weaknesses (e.g., using an email deliverability tester).
• Alignment challenges: Marketers frequently face challenges with ESPs not always using aligning MAIL FROM domains, making EHLO alignment an even bigger hurdle. This highlights the ongoing need to understand SPF in Google Postmaster Tools.

Key opinions

• RFC recommendations: Experts emphasize that the SPF RFC does indeed recommend checking EHLO before MAIL FROM, but it's a recommendation, not a strict requirement for all SPF implementations. This distinction is important for understanding potential variations in receiver behavior.
• Practical focus: The practical reality is that most ESPs and mail servers primarily focus on the MAIL FROM domain for SPF validation because it is directly tied to DMARC and bounce management, making it a critical authentication point.
• Comprehensive authentication: Google's sophisticated filtering system uses many signals. While EHLO SPF checks might be a factor, they are likely part of a broader assessment that includes DKIM, DMARC alignment, sender reputation, content, and network characteristics like FcrDNS.
• PTR and FcrDNS: A consistent opinion among experts is the fundamental importance of correct PTR records and FcrDNS for sender legitimacy. A misconfigured PTR record (e.g., resolving to NXDOMAIN) is a significant negative signal for virtually all mail providers, including Microsoft and hobbyist servers, as mentioned by an expert.

Key considerations

• DMARC reporting: Experts recommend utilizing DMARC aggregate reports, which often contain an spf_scope field indicating whether the HELO or MAIL FROM identity was used for SPF validation by the reporting receiver. This offers insights into Google's specific practices (and those of other large receivers like Yahoo and Microsoft).
• Fundamental authentication: Prioritize fixing any fundamental authentication issues, such as broken PTR records or inconsistent FcrDNS, as these are often low-hanging fruit that impact deliverability across many ISPs. This is highlighted in discussions around best practices for ESPs.
• Sender reputation: Recognize that issues like small, residential-like IP blocks from hosting providers can negatively influence Google's perception of sender reputation, regardless of SPF alignment. This points to broader factors beyond just protocol compliance.

Key findings

• SPF RFC recommendation: According to RFC 7208, SPF verifiers are RECOMMENDED to check both the MAIL FROM and HELO identities, with the HELO check preferably performed first if both are considered for efficiency and reliability.
• Purpose of HELO check: Checking HELO promotes consistency and can reduce DNS resource usage if a conclusive SPF determination can be made early. HELO identities are also considered a reliable source of host authorization status.
• DMARC context: DMARC, as described in RFC 7489, primarily focuses on alignment between the RFC5322.From header and the MAIL FROM (or envelope sender) domain for SPF authentication. The HELO domain is not directly used for DMARC alignment.
• FcrDNS as a signal: While not part of SPF itself, the concept of FcrDNS (Forward-confirmed Reverse DNS) is a fundamental best practice for mail servers, as outlined in various RFCs related to SMTP and DNS. It serves as a significant trust signal for recipient servers when authenticating sending hosts. Many resources highlight that SPF checks the MAIL FROM and EHLO/HELO information. More generally, email security discussions often cover SPF checking the mail envelope.

Key considerations

• Implementation flexibility: Receiving mail servers have the flexibility to implement SPF checks as they deem fit, adhering to RFCs as guidelines rather than strict mandates. This means while checking EHLO is recommended, it's not universally enforced with the same rigor as MAIL FROM in DMARC-enabled environments.
• Layered security: Documentation supports a layered approach to email security, where SPF, DKIM, and DMARC work together. While SPF can validate both EHLO and MAIL FROM, DMARC's dependency on MAIL FROM alignment often makes it the primary focus for SPF pass/fail decisions impacting deliverability.
• Importance of DMARC reports: DMARC reporting is crucial for understanding how various receivers (including Google) are performing SPF checks and which identity (HELO or MAIL FROM) they are using. The spf_scope in DMARC aggregate reports is directly specified in RFC 7489 to indicate this.