diff --git a/hosts/mail/modules/postfix.nix b/hosts/mail/modules/postfix.nix
index bc9d8ee..1b53a7b 100644
--- a/hosts/mail/modules/postfix.nix
+++ b/hosts/mail/modules/postfix.nix
@@ -180,6 +180,7 @@ in
       smtpd_helo_restrictions = "
                             permit_mynetworks,
                             permit_sasl_authenticated,
+                            check_helo_access regexp:/var/lib/postfix/conf/helo_access,
                             reject_unauth_pipelining,
                             reject_non_fqdn_hostname,
                             reject_invalid_hostname,
diff --git a/hosts/mail/modules/rspamd.nix b/hosts/mail/modules/rspamd.nix
index becc93b..f4253ab 100644
--- a/hosts/mail/modules/rspamd.nix
+++ b/hosts/mail/modules/rspamd.nix
@@ -52,6 +52,13 @@ let
         }
       }
     }
+    dmarc {
+      actions {
+        reject = "reject";
+        quarantine = "add header";
+        softfail = "no action";
+      }
+    }
   '';
 
   sieve-spam-filter = pkgs.callPackage ../pkgs/sieve-spam-filter { };
@@ -63,6 +70,19 @@ in
       .include(priority=1,duplicate=merge) "${localConfig}"
     '';
 
+    locals."groups.conf".text = ''
+      symbols {
+        "R_SPF_DNSFAIL" {
+          weight = 2.0;
+          description = "SPF DNS failure";
+        }
+        "DMARC_DNSFAIL" {
+          weight = 2.0;
+          description = "DMARC DNS failure";
+        }
+      }
+    '';
+
     postfix.enable = true;
     workers.controller = {
       extraConfig = ''