Should SMTP HELO name be the same as the MX record?

Question

I can't seem to satisfy HELO checks on SPF records in all cases. I have an SPF record for my domain like this:

"v=spf1 mx -all"

The MX records in the zone are:

mx0.mydomain.org.uk.          3600 IN A         1xx.xx.xx.59
mx0.mydomain.org.uk.          3600 IN AAAA      2001:xxx:x:xxx::3b
mx1.mydomain.org.uk.          3600 IN A         2xx.xx.xxx.201
mx1.mydomain.org.uk.          3600 IN AAAA      2a03:xxx:xx:xxx::2 

The host name (and PTR) of the sending server is mail.mydomain.org.uk. Its IP is the same as mx0.mydomain.org.uk. The HELO name is mydomain.org.uk.

I can get HELO to pass with the above SPF record:

SPF helo    header      Received-SPF:
pass (mydomain.org.uk: 1xx.xx.xx.59 is authorized to use 'mydomain.org.uk' in 'helo' identity (mechanism 'mx' matched))
receiver=ts11-do.checktls.com; identity=helo; helo=mydomain.org.uk; client-ip=1xx.xx.xx.59

However, some checkers don't like this and say they can't find an A record for the sender mydomain.org.uk. But if I change the HELO to mx0.mydomain.org.uk I then get a fail because of "no applicable sender policy available":

SPF helo    header      Received-SPF:
none (mx0.mydomain.org.uk: No applicable sender policy available) receiver=ts11-do.checktls.com; identity=helo; helo=mx0.mydomain.org.uk; client-ip=1xx.xx.xx.59
SPF helo    local       mx0.mydomain.org.uk: No applicable sender policy available

How can I satisfy both checks?

Answer 1

SPF mostly ignores the HELO name and uses the MAIL FROM name instead, but when MAIL FROM is empty it uses the HELO name.

Use option 2.

change the HELO to mx0.mydomain.org.uk

"none" is not a rejection.

"no applicable sender policy available":

Seeing mx0.mydomain.org.uk the other end has no reason to look at mydomain.org.uk it will instead look for an SPF record on mx0.mydomain.org.uk. You can fix that by adding an SPF record for mx0.mydomain.org.uk.

eg: "v=spf1 a -all".

Answer 2

While I've accepted @jasen as having the answer, the HELO of the mail server would need to be the same as the MX record. This might be inconvenient in future if we needed to have sending and receiving on separate IP addresses.

So I in fact solved it like this:

1. Keep the sending server's name as mail.mydomain.com, but make this the same as the HELO name.

2. Have the domain's SPF record as follows (authorises the addresses of all MX records):

@ IN TXT "v=spf1 mx -all"

3. Add a separate SPF record for the mail server's name (authorises the A record of mail.mydomain.com):

mail IN TXT "v=spf1 a -all"

Now the checking services I've tried say everything is OK.