In theory you (we) should have SPF records for HELO hostnames too
Let's start with what I said in the Fediverse today:
Today I learned that you should have SPF records for your HELO names, not just for your MAIL FROM domains. I guess I have some DNS records to add now.
When I learned about SPF, back when it was very new, I at least understood it as being about preventing forgery of SMTP envelope sender domains (ie, SMTP MAIL FROM domains). In modern usage, this is no longer the case; even the 'proposed standard' RFC 7208 starts out by explicitly saying that it applies to the host or domain given in SMTP HELO/EHLO. Checking what RFC 7208 calls 'the "HELO" identity' is listed as RECOMMENDED instead of MUST, though (in section 2.3).
(Because I don't care that much I haven't carefully read RFC 7208 to find out the recommended or required total flow of things. Unfortunately one result of my casual skim of the RFC is that I'm now confused about what DNS entries we should have for HELO hostnames, since the RFC has some confusing terminology usage here.)
Currently, we only have SPF records at the apex of our domains,
because that's what we use for our normal SMTP MAIL FROMs. Now that
I look at it more deeply, adding SPF records for the small number
of hosts that send outgoing email is probably only a little bit
annoying. If we don't ever expect anything else to send email with
a MAIL FROM of a host name used in EHLO, I think that all such host
names need as SPF records is either '
v=spf1 a' or '
?all' depending on how cautious we want to be (probably cautious,
so the ?all version).
What I don't know is how many things actually care about SPF checks for EHLO names. What drew my attention to this is that I was checking our new DKIM signing implementation using dkimvalidator.com, which includes SpamAssassin scoring information, including:
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
Some sources suggest that SpamAssassin gives you a very tiny bonus if your HELO name passes a SPF check. That's honestly not very compelling to get us to add a bunch of DNS TXT entries (and to remember to keep doing that if we add another machine or IP with another HELO name).