Email Server With Postfix Dovecot and MailScanner (Part 4 - SPF DKIM and DMARC)

Both SPF and DKIM has two parts: One is the DNS records for SPF/DKIM serve the purpose of setting your own policy for others to check. The other is to check if the incoming mail message is in accordance with the SPF/DKIM that is set by the admins of the domain from which the message was sent.


DNS txt record

Add a txt record to DNS server:

@ TXT 300 v=spf1 a ip4: ~all

Test it by sending an email to and will get a report back.

SPF on Postfix

To prevent sender address forgery, we setup The Sender Policy Framework (SPF) on the postfix. When there is an incoming email, postfix will check the SPF record.

yum install perl-Mail-SPF perl-Sys-Hostname-Long

cd /usr/local/src
tar zvxf postfix-policyd-spf-perl-2.010.tar.gz
cd postfix-policyd-spf-perl-2.010
cp postfix-policyd-spf-perl /usr/local/sbin/.

Then edit /etc/postfix/ and add the following stanza at the end:

policy unix - n n - - spawn
user=nobody argv=/usr/bin/perl /usr/local/sbin/postfix-policyd-spf-perl

(The leading spaces before user=nobody ... are important so that Postfix knows that this line belongs to the previous one!)

Then open /etc/postfix/ and search for the smtpd_recipient_restrictions directive. You should have reject_unauth_destination in that directive, and right after reject_unauth_destination you add check_policy_service unix:private/policy like this:

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service unix:private/policy
policy_time_limit = 3600

Restart MailScanner, send an email from gmail to, in header:

Received-SPF: pass ( ... Sender is authorized to use '' in 'mfrom' identity (mechanism '' matched)) receiver=szeta; identity=mailfrom; envelope-from="";; client-ip=



Install OpenDKIM

yum install opendkim

Generate keys for signing
You need to generate a private and a public key for each of the domains for which you wish to sign mail. The private key is stored away on your server, while the public key gets published in your domain’s DNS records so that receiving mail servers can verify your DKIM-signed mail.
You need decide now what the name of your selector is going to be. A selector is a unique keyword that is associated with both keys (public and private), included in all the signatures, and published in your DNS records. For simplicity, I use the word szeta as my default selector.

mkdir -p /etc/opendkim/keys/
/usr/sbin/opendkim-genkey -D /etc/opendkim/keys/ -d -s szeta

Now we have two files for each domain(the text file is the public key).

chown -R opendkim:opendkim /etc/opendkim/keys/*

Edit four configuration files:

  1. /etc/opendkim.conf (I created a new file)

    ## opendkim.conf -- configuration file for OpenDKIM filter
    AutoRestart Yes
    AutoRestartRate 10/1h
    Canonicalization relaxed/simple
    ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
    InternalHosts refile:/etc/opendkim/TrustedHosts
    KeyTable refile:/etc/opendkim/KeyTable
    LogWhy Yes
    Mode sv
    PidFile /var/run/opendkim/
    SignatureAlgorithm rsa-sha256
    SigningTable refile:/etc/opendkim/SigningTable
    Socket inet:8891@localhost
    Syslog Yes
    SyslogSuccess Yes
    TemporaryDirectory /var/tmp
    UMask 022
    UserID opendkim:opendkim
  2. /etc/opendkim/KeyTable
  3. /etc/opendkim/SigningTable

  4. /etc/opendkim/TrustedHosts

Now enable OpenDKIM in Postfix, edit /etc/postfix/, add

smtpd_milters = inet:
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

Now start services

systemctl enable opendkim
systemctl start opendkim
systemctl restart MailScanner

DNS txt record

Now that the mail server is signing outgoing mail and verifying incoming mail, you’ll need to put some information in your DNS records to tell other mail servers how your keys are set up, and provide the public key for them to check that your mail is properly signed.

Use the public key created above to add a DNS TEXT record to


$ dig TXT +noall +answer 3599 IN TXT "v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGYaonAHWmVitTa9p4QRmtjobBRyWflXwCa3akQ87aJ2iT8bg/25/t7dwzOq4nRS9CoW6vu9gVPBS6hWIumRoWFwYfwgUXGWCxMQLr6Nc7wuKnqPOoA6/JTa0s1o0QWiY18k1Rsh8p4/oRQilCEVjvdezRxsIigIEGUlEn9a+xqwIDAQAB"


Restart MailScanner then send email to then read the report, also analyse header as well.


A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and give instruction if neither of those authentication methods passes. Please be sure you have a DKIM and SPF set before using DMARC.

To enable DMARC, just add a TXT DNS record. Host name is _dmarc and text value is v=DMARC1; p=none ;

To check:

# dig TXT +noall +answer 7207 IN TXT "v=DMARC1\;p=none\;"

Test mail server

A final test for the email server can be done at I got a score of 10/10! -:)

Quick links: