Hello,

RFC 7208 section 2.3 specifies the following

It is RECOMMENDED that SPF verifiers not only check the "MAIL FROM" identity but also separately check the "HELO" identity by applying the check_host() function (Section 4) to the "HELO" identity as the <sender>.

Basically they recommend running against the sending server ehlo/help and the the MAIL FROM. I know of at least three mail gateways that employ this, one of which is Trend Micro.

No rush, and can wait until after spf validation for Mail From is setup

Regards