diff --git a/internal/check/spf/spf.go b/internal/check/spf/spf.go
index 783ef20..c94dd91 100644
--- a/internal/check/spf/spf.go
+++ b/internal/check/spf/spf.go
@@ -314,7 +314,17 @@ func (s *state) CheckConnection(ctx context.Context) module.CheckResult {
 		return module.CheckResult{}
 	}
 
-	mailFrom, err := prepareMailFrom(s.msgMeta.OriginalFrom)
+	mailFromOriginal := s.msgMeta.OriginalFrom
+	if mailFromOriginal == "" {
+		// RFC 7208 Section 2.4.
+		// >When the reverse-path is null, this document
+		// >defines the "MAIL FROM" identity to be the mailbox composed of the
+		// >local-part "postmaster" and the "HELO" identity (which might or might
+		// >not have been checked separately before).
+		mailFromOriginal = "postmaster@" + s.msgMeta.Conn.Hostname
+	}
+
+	mailFrom, err := prepareMailFrom(mailFromOriginal)
 	if err != nil {
 		s.skip = true
 		return module.CheckResult{
diff --git a/tests/smtp_test.go b/tests/smtp_test.go
index 85a5173..cd9249f 100644
--- a/tests/smtp_test.go
+++ b/tests/smtp_test.go
@@ -122,13 +122,22 @@ func TestCheckSPF(tt *testing.T) {
 
 	conn := t.Conn("smtp")
 	defer conn.Close()
-	conn.SMTPNegotation("localhost", nil, nil)
+	conn.SMTPNegotation("fail.maddy.test", nil, nil)
 
 	conn.Writeln("MAIL FROM:<testing@pass.maddy.test>")
 	conn.ExpectPattern("250 *")
 	conn.Writeln("RSET")
 	conn.ExpectPattern("250 *")
 
+	// Actually checks fail.maddy.test.
+	conn.Writeln("MAIL FROM:<>")
+	conn.ExpectPattern("552 5.7.0 *")
+
+	conn.SMTPNegotation("pass.maddy.test", nil, nil)
+
+	conn.Writeln("MAIL FROM:<>")
+	conn.ExpectPattern("250 *")
+
 	conn.Writeln("MAIL FROM:<testing@none.maddy.test>")
 	conn.ExpectPattern("551 5.7.0 *")
 
@@ -364,7 +373,7 @@ func TestCheckAuthorizeSender(tt *testing.T) {
 						auth_normalize precis_casefold
 						user_to_email static {
 							entry "test-user1" "test@example1.org"
-							entry "test-user2" "é@example1.org" 
+							entry "test-user2" "é@example1.org"
 						}
 					}
 				}