diff --git a/config/karma.ini b/config/karma.ini
index d4006f57e..aa533248f 100644
--- a/config/karma.ini
+++ b/config/karma.ini
@@ -29,8 +29,8 @@ good=10
 ; maximum number of recipients allowed
 [recipients]
 bad=1
-neutral=3
-good=10
+neutral=5
+good=20
 
 
 [threshhold]
@@ -77,3 +77,7 @@ notes.rdns_access@white=1
 notes.fcrdns.no_rdns=-2
 notes.fcrdns.ip_in_rdns=-1
 notes.spamassassin.flag@Yes=-2
+notes.spf_helo@3=-2
+notes.spf_helo@4=-1
+notes.spf_helo@6=-1
+notes.spf_helo@7=-1
diff --git a/plugins/rcpt_to.max_count.js b/plugins/rcpt_to.max_count.js
index 578478a2c..fe415e984 100644
--- a/plugins/rcpt_to.max_count.js
+++ b/plugins/rcpt_to.max_count.js
@@ -2,6 +2,9 @@
 // this helps guard against some spammers who send RCPT TO a gazillion times
 // as a way of probing for a working address
 
+// Consider using the karma plugin. It supports limiting the number
+// of recipients based on past behavior (good, bad, unknown)
+
 exports.hook_rcpt = function (next, connection) {
     if (connection.transaction.notes.rcpt_to_count) {
         connection.transaction.notes.rcpt_to_count++;