When using a tool like https://dkimvalidator.com/ to verify configuration of DKIM, SPF, DMARC, etc. for sending mail from a web server, I get a warning like this:
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
It seems like a bad signal even though the score isn't really affected. How do I get rid of it?
Publish SPF records for HELO/EHLO hostnames
The Sender Policy Framework does not only protect MAIL FROM, but also HELO. Whereas the MAIL FROM identity MUST be verified (RFC 7208, 2.4), the verification of the HELO identity is only RECOMMENDED (RFC 7208, 2.3). This is the reason Spamassassin (rules/25_spf.cf), where this scoring comes from, only gives 0.0 by default.
In your own answer, you suggest changing the HELO hostname to match the domain, but that is not the only solution – and not the best solution in all cases. Some receiving systems gives negative scoring if the hostname in the HELO command does not match with the reverse DNS PTR record (SMTP Reverse DNS Mismatch). This is why you might want to add an SPF record for your HELO hostname, instead. (SPF FAQ / Common mistakes / Publish SPF records for HELO/EHLO names used by your mail servers.)
Publish SPF records for every hostname
Furthermore, every hostname with an A record that is not intended for sending email should be protected with SPF, too. Otherwise, anyone can use them as an envelope sender. (SPF FAQ / Common mistakes / Publish null SPF records for your domains that don't send mail; related answer.)
It was as simple as adding the below setting in /etc/postfix/main.cf:
smtp_helo_name = $mydomain
The message changes to this:
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
