Fix T_SPF_HELO_PERMERROR in Spamassassin

So I thought I had my spf (Sender Policy Framework) records setup correctly. They all passed the various test sites.

Nevertheless I kept seeing this one error in my spamassassin produced headers:

T_SPF_HELO_PERMERROR

I was unable to find a lot of info on this specific error. Everyone seemed to keep saying you needed spf records for your domain, blah, blah…

The nice thing is that this does seem to be a zero-weighted rule by default, but who’s to say some admins haven’t added negative weight to this, maybe even some big mail sites like GMail.

The key to finally figuring out the solution to this error (I mean who likes to see “PERMERROR!!!???!!!” That’s quite a permanent Error by the sound of it) was in the name itself– “HELO” When a mail admin sees hello spelled like that he or she has to think of the SMTP conversation where the mail servers starts out with a HELO greeting. (https://tools.ietf.org/html/rfc5321) Indeed when a mail server says HELO (or perhaps EHLO (sic.) for modern servers) it gives its host name.

I was able to get rid of this error message by setting up an spf record for my mail server’s hostname itself, not just for my domain.

For example, you may already have your domain spf record setup to something like this:

example.com  TXT "v=spf1 mx ip4:111.222.333.444 ip4:222.333.444.555 a:mail.example.com a:bkpmail.example.com -all"

This works great for your domain. You only send mail out of those two mail servers identified both by name and by ip. However you will still get the dreaded T_SPF_HELO_PERMERROR header from Spamassassin.

To solve this I also added an spf record for the mail server itself:

mail.example.com  TXT "v=spf1 mx ip4:111.222.333.444 ip4:222.333.444.555 a:mail.example.com a:bkpmail.example.com -all"

Note the first example is an spf TXT record for just the domain name, “example.com”. (The start of the line)

Whereas the second example is an spf TXT record for “mail.example.com”. (You would want one for the backup mail server too.)

Now there is no longer a T_SPF_HELO_PERMERROR from Spamassassin because there is no longer a permanent error on the HELO server name. Now I get the prized SPF_HELO_PASS header instead!

Will this help you at all? I have no idea. Like I said above the rule defaults to a zero weighting, but people change these weights all the time, and future version of SA may change them too. This was all tested with SA 3.4.2 .

This entry was posted in Uncategorized and tagged , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply