What it says is that I cannot "refuse to accept [...] if verification
fails". It does not mention rules for when verification has succeeded,
especially in the negative form.
I see what you are saying, and I agree that it could be worded more clearly.
But it is intended to mean that the fact that EHLO name and the address
do not match is not a good reason for rejecting the mail. There are too
many situations where a client can legitimately be using a name in EHLO
but where the server's query of that name will not produce the host's
source IP address, and/or the server's query of that source IP address
will not produce the name used in EHLO.
Keith