What are the best practices for Email Service Providers regarding HELO, rDNS, and SPF?

Key findings

• Order of checks: The SPF specification dictates that HELO checks are performed before MAIL FROM checks, reflecting the SMTP protocol flow.
• rDNS importance: rDNS (reverse DNS) verification ensures that the sending IP address resolves back to the HELO hostname, a crucial trust signal for receiving mail servers. This is further explained in our guide on reverse DNS resolution best practices.
• SPF DNS lookup limit: The SPF record must not exceed 10 DNS lookups to avoid PermError results, which can negatively impact deliverability.
• ESP identifier in headers: It is generally considered good engineering practice for ESPs to use their own rDNS for dedicated IPs and for the HELO value. This clearly identifies the sending server and the ESP responsible for it.
• Authentication with third-party senders: Proper SPF, DKIM, and DMARC configuration is essential when using multiple ESPs or third-party senders. More information can be found in our comprehensive guide on how email authentication affects deliverability with third-party ESPs.

Key considerations

• Consistent alignment: Ensure that the HELO domain, rDNS entry, and MAIL FROM domain are consistently configured and align, even if they reflect the ESP's domain rather than the client's. This helps to prevent SPF authentication failures, as highlighted by Webex Connect.

Key opinions

• Confusion over SPF specifics: Many marketers find the SPF specification, particularly the order of HELO and MAIL FROM checks, counter-intuitive or complex.

Key considerations

• Leveraging ESPs: Marketers should expect their ESPs to handle the complexities of rDNS and HELO configuration, especially for dedicated IPs. This allows marketers to focus on content and strategy, while the ESP ensures technical compliance for seamless transactional email delivery.

Key opinions

• Historical context: The design of SPF, including the order of HELO and MAIL FROM checks, dates back to earlier authentication efforts where mail servers asserted their sending authority.
• rDNS as good practice: Using the ESP's rDNS and HELO values for dedicated IPs is considered sound engineering practice because it identifies the server's origin and the ESP's responsibility.
• Identity in headers: The HELO (or EHLO) command and corresponding rDNS provide the only location in the email headers that clearly identifies the sending server's identity, especially since the return-path may point to a bounce handler.

Key considerations

• Avoiding blocklists: Improper HELO configuration, particularly using it to signal unauthorized sending, can lead to inclusion on CSS (Composite Blocking List) or other blacklists (or blocklists), impacting deliverability for all traffic from that IP. Our in-depth guide to email blocklists provides more detail.

Key findings

• SPF lookup limit: The SPF specification (RFC 7208) clearly limits the number of DNS lookups during SPF evaluation to a maximum of 10. Exceeding this limit results in a PermError, causing authentication failure.
• SMTP connection flow: According to SMTP protocol (RFC 5321), the HELO or EHLO command, which carries the sending hostname, is sent at the beginning of the session, prior to the MAIL FROM command.
• Reverse DNS (PTR) records: Documentation on rDNS emphasizes the necessity of a matching PTR record for the sending IP. This record maps an IP address back to a hostname and is a common check performed by receiving mail servers to verify sender legitimacy.
• Transactional email best practices: Official guides for transactional email emphasize setting up SPF records as a fundamental step to authenticate domains and signal legitimacy to mailbox providers. This foundational step is critical for avoiding spam folders and ensuring reliable delivery of time-sensitive emails.

Key considerations

• Regular updates: Documentation (e.g., from AutoSPF) advises regular review and updates of SPF records whenever there are changes to sending infrastructure or third-party ESPs. This is crucial for maintaining authentication effectiveness.