Sender Policy Framework

SPF Received Header

When an SPF query returns "fail", the MTA should reject the connection.

When an SPF query returns any other result, the MTA should add an advisory header to the message of the form "Received-SPF: neutral" or "Received-SPF: pass". That way, a spam filter further down the road can take that header into account as part of a more balanced decision.

Received-SPF: pass (mybox.example.org: domain of myname@example.com
    designates 192.0.2.1 as permitted sender)
    receiver=mybox.example.org; client_ip=192.0.2.1;
    envelope-from=myname@example.com;
Received-SPF: fail (mybox.example.org: domain of myname@example.com does
    not designate 192.0.2.1 as permitted sender)
Received-SPF: softfail (mybox.example.org: domain of transitioning
    myname@example.com does not designate 192.0.2.1 as permitted sender)
Received-SPF: neutral (mybox.example.org: 192.0.2.1 is neither permitted
    nor denied by domain of myname@example.com)
Received-SPF: none (mybox.example.org: domain of myname@example.com does
    not designate permitted sender hosts)
Received-SPF: permerror -extension:foo (mybox.example.org: domain of
    myname@example.com uses mechanism not recognized by this client)
Received-SPF: temperror (mybox.example.org: error in processing during
    lookup of myname@example.com: DNS timeout)

The SPF specification includes an extension to RFC2822 reserving the "Received-SPF:" header.

If the "permerror" occurred because an SPF publisher uses a mechanism not understood by an SPF client and the receiver does not reject the message due to the permerror, that mechanism should be provided in the header immediately following the "permerror". That way, the information is available to the end user to support troubleshooting.

The following key-value pairs are designed for later machine parsing. SPF clients SHOULD give enough information so that the SPF results can be verified. That is, at least "client-ip", "helo", and, if the "MAIL FROM" identity was checked, "envelope-from".

`client-ip`	the IP address of the SMTP client
`envelope-from`	the envelope sender mailbox
`helo`	the host name given in the HELO or EHLO command
`mechanism`	the mechanism that matched (if no mechanisms matched, substitute the word "default")
`problem`	if an error was returned, details about the error
`receiver`	the host name of the SPF client
`identity`	the identity that was checked; see the <identity> ABNF rule

Here is an example:

Received-SPF: Pass (example.org: domain of scott@kitterman.com
    designates 72.81.252.18 as permitted sender)
    receiver=example.org; client-ip=72.81.252.18;
    envelope-from=<scott@kitterman.com>; helo=mailout00.controlledmail.com;

"Received-SPF:" headers must be added above the standard SMTP "Received:" header for that MTA to avoid ambiguity about whether or not the header was added by a trusted MTA.

Unless noted otherwise, all content on this website is dual-licensed under the GNU GPL v2 and the Creative Commons CC BY-SA 2.5.
The openspf.org domain name was donated by James Couzens, and related domain names by John Pinkerton. Thanks!

Sender Policy Framework

SPF Received Header

The SPF Project

Documentation

Support