Note: where restrictions do work: when the "HELO invalid.host.bla" and invalid.host.bla has no forward translation. when the sending IP address has no reverse translation Consider mail servers behind NAT. Their internet reverse translation may point to a router, not back to the host, so exact matches can't be enforced.