SPF is based on two authenticated identifiers: RFC5321/MAIL-FROM or in the case of bounce messages where the MAIL-FROM is left blank it is based on the RFC5321/HELO-EHLO identifier.

It can be seen that in order to SPF authenticate a bounce message with respect to DMARC the HELO/EHLO hostname of the client has to align with the RFC5322/From address found in an email. This means that your SPF record should include the HELO/EHLO domain in DNS and be configured appropriately.


In cases where it is not possible to align the HELO/EHLO hostname to the From address of an email, DKIM signing can be used where the "d=" domain matches the From domain. Mail flow is often indirect and in those cases DKIM is the preferable protocol to SPF and increases the chances of emails being delivered.

Did this answer your question?