Sender Policy Framework

Why/API

How can I reference the "Why?" page for explaining SPF results?

The "Why?" web page is a public service of the SPF project. SPF implementations can (and do) use it to help explain the results of SPF checks by presenting to users a parameterized link to this page. Here is how it works:

Base URL

The base URL of the "Why?" page is: http://www.openspf.org/Why (note the upper-case "W"). Accessing the base URL directly offers a form that can be used to make basic "mfrom"-scope SPF queries.

URL parameters

A number of URL parameters can be appended to the base URL:

Required	Parameter	Short alias	Default	Examples
	`versions`	`v`	`1`	`v=1,2`
	`scope`	`s`	`mfrom`	`s=helo`
•	`identity`	`id`		`id=user@example.com` `id=mta.example.com`
•	`ip-address`	`ip`		`ip=169.254.0.7` `ip=fe80::2a:7`
	`receiver`	`r`		`r=mx.example.net`
	`show-form`		`0`	`show-form=1`

Simply join parameters with "&" or ";" characters and append them to the base URL with a leading "?" character. For example:

http://www.openspf.org/Why?s=mfrom;id=x@openspf.org;ip=169.254.0.7

Detailed descriptions of the supported parameters are available:

versions: A comma-separated list of the versions of SPF records that may be used for the SPF check. Only those record versions that cover the desired scope will actually be used (see below).
scope: The authorization scope of the identity that should be checked. The following scope values are supported:

helo

The given identity is the HELO parameter of an SMTP transaction (RFC 2821) and should be checked against SPF records that cover the helo scope ("v=spf1"). See the SPFv1 specification (RFC 4408) for the formal definition of the HELO scope.

mfrom

The given identity is the MAIL FROM parameter of an SMTP transaction (RFC 2821), and should be checked against SPF records that cover the mfrom scope ("v=spf1" and "spf2.0/mfrom"). See the SPFv1 specification (RFC 4408) for the formal definition of the MAIL FROM scope.

Note: In the case of an empty MAIL FROM SMTP transaction parameter ("MAIL FROM:<>"), you should perform a check with the helo scope instead.

pra

The given identity is the "Purported Responsible Address" of an e-mail message (RFC 2822) and should be checked against SPF records that cover the pra scope ("spf2.0/pra"). See the PRA specification (RFC 4407) for the formal definition of the PRA scope.

identity

The sender identity whose authorization should be checked. This is a domain name for the helo scope, and an e-mail address for the mfrom and pra scopes.

Note: An empty identity must not be passed. In the case of an empty MAIL FROM SMTP transaction parameter, you should perform a check with the helo scope instead.

ip-address

The IP address of the host claiming the identity that is being checked. Can be either an IPv4 or an IPv6 address. An IPv4-mapped IPv6 address (e.g. "::ffff:192.168.0.1") is treated as an IPv4 address.

receiver

The host name of the receiving mail server that originally performed the SPF check that the "Why?" page is supposed to explain. This information is used in wording the explanation and is supposed to help the user or their postmaster understand the situation.

show-form

If you want a basic input form to be shown, allowing the sender identity and sending IP address to be entered or adjusted, you can set this parameter to 1.

Examples

Here are a few more examples demonstrating the capabilities of the "Why?" page:

http://www.openspf.org/Why?v=1,2;id=x@relevanttools.com;ip=169.254.0.7
http://www.openspf.org/Why?v=2;s=pra;id=x@anywhereworld.net;ip=fe80::2a:7
http://www.openspf.org/Why?id=x@4html.com;ip=169.254.0.7
http://www.openspf.org/Why?v=2;id=x@openspf.org;ip=169.254.0.7
http://www.openspf.org/Why?s=helo;id=openspf.org;ip=169.254.0.7

URL generation via SPF explanation strings

Many SPF implementations support the generation of explanation strings from macro templates either published in a TXT DNS record of the sender domain or configured as a default with the SPF implementation, using information from SPF checks. For example, the two templates

Please see http://www.openspf.org/Why?s=helo;id=%{S};ip=%{C};r=%{R}
Please see http://www.openspf.org/Why?s=mfrom;id=%{S};ip=%{C};r=%{R}

could be used to generate appropriate references to the openspf.org "Why?" page for helo and mfrom checks, respectively.

Unless noted otherwise, all content on this website is dual-licensed under the GNU GPL v2 and the Creative Commons CC BY-SA 2.5.
The openspf.org domain name was donated by James Couzens, and related domain names by John Pinkerton. Thanks!