SPF strict vs relaxed

Questions
1

Your question

Hi,

What is the difference between SPF configuration strict and relaxed?
I have a domain (which in my opinion is configured correctly) from where the emails are rejected if the SPF check is strict:
2026-06-15T07:11:47Z INFO SPF EHLO check failed (smtp.spf-ehlo-fail) listenerId = “smtp”, localPort = 25, remoteIp = 81.196.87.228, remotePort = 8483, domain = “mail.tmb.ro”, result = No SPF record (spf.none), elapsed = 1ms

If I change the SPF check to relaxed the email is accepted:
2026-06-15T08:03:35Z INFO SPF From check passed (smtp.spf-from-pass) listenerId = “smtp”, localPort = 25, remoteIp = 81.196.87.228, remotePort = 30585, domain = “mail.tmb.ro”, from = “[email protected]”, result = SPF check passed (spf.pass), elapsed = 17ms

For the sender domain (I’m not related to it in any way) the SPF record is: “v=spf1 a mx -all” and MX:
tmb.ro MX preference = 10, mail exchanger = mail.tmb.ro
mail.tmb.ro internet address = 81.196.87.228

So I don’t understand what verification SPF strict is doing that this domain is failed the check.

Best regards,
Andrei

I understand that topics in this category are triaged by a bot first but a human reply will follow up. If I’d prefer a human-only reply, I’ll add the no-ai tag to my topic.

on

2

The difference is clear and explained directly in the SPF docs:

  • relaxed: Stalwart performs the SPF check and records the result in the Authentication-Results and Received-SPF headers, but does not reject the message regardless of outcome.
  • strict: Stalwart performs the SPF check and rejects the message if it fails; otherwise it just records the result.

In your specific case, the issue is that strict mode is applied to the EHLO/HELO identity check (spfEhloVerify). When the remote server connects and says EHLO mail.tmb.ro, Stalwart looks up the SPF record for the domain mail.tmb.ro – and there is none. The SPF record v=spf1 a mx -all exists on tmb.ro (the envelope/MAIL FROM domain), not on mail.tmb.ro (the EHLO hostname). So the EHLO SPF check returns spf.none (no record found), and strict rejects it.

Under relaxed, the EHLO failure is noted but not fatal, and the subsequent MAIL FROM check against tmb.ro succeeds (the mx mechanism matches mail.tmb.ro), so the message is accepted.

This is a common real-world situation: many sending servers have a proper SPF record on their envelope domain but not on their EHLO hostname. The recommended approach is to keep spfEhloVerify on relaxed (which is also the Stalwart default) and rely on spfFromVerify (MAIL FROM) for actual enforcement, since MAIL FROM is the identity that matters most for SPF policy purposes.

Docs reference: SPF Verification and SenderAuth fields

This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong.