<\/div>\n
v=spf1 mx -all\r\n<\/code><\/pre>\nExample 2<\/strong> Allow mail from a specific host:<\/p>\n<\/div>\n
v=spf1 a:mail.example.com -all\r\n<\/code><\/pre>\n\n- The
v=spf1<\/code> tag is required and has to be the first tag.<\/li>\n- The last tag,
-all<\/code>, indicates that mail from your domain should only come from servers identified in the SPF string. Anything coming from any other source is forging your domain. An alternative is ~all<\/code>, indicating the same thing but also indicating that mail servers should accept the message and flag it as forged instead of rejecting it outright. -all<\/code> makes it harder for spammers to forge your domain successfully; it is the recommended setting. ~all<\/code> reduces the chances of email getting lost because an incorrect mail server was used to send mail. ~all<\/code> can be used if you don\u2019t want to take chances.<\/li>\n<\/ul>\nThe tags between identify eligible servers from which email to your domain can originate.<\/p>\n
\nmx<\/code> is a shorthand for all the hosts listed in MX records for your domain. If you\u2019ve got a solitary mail server, mx<\/code> is probably the best option. If you\u2019ve got a backup mail server (a second MX record), using mx<\/code> won\u2019t cause any problems. Your backup mail server will be identified as an authorized source for email although it will probably never send any.<\/li>\n- The
a<\/code> tag lets you identify a specific host by name or IP address, letting you specify which hosts are authorized. You\u2019d use a<\/code> if you wanted to prevent the backup mail server from sending outgoing mail or if you wanted to identify hosts other than your own mail server that could send mail from your domain (e.g., putting your ISP\u2019s outgoing mail servers in the list so they\u2019d be recognized when you had to send mail through them).<\/li>\n<\/ul>\nFor now, we\u2019re going to stick with the mx<\/code> version. It\u2019s simpler and correct for most basic configurations, including those that handle multiple domains. To add the record, go to your DNS management interface and add a record of type TXT for your domain itself (i.e., a blank hostname) containing this string:<\/p>\n<\/div>\n
v=spf1 mx -all\r\n<\/code><\/pre>\nIf you\u2019re using Linode\u2019s DNS Manager, go to the domain zone page for the selected domain and add a new TXT record. The screen will look something like this once you\u2019ve got it filled out:<\/p>\n
If your DNS provider allows it (DNS Manager doesn\u2019t), you should also add a record of type SPF, filling it in the same way as you did the TXT record.<\/p>\n
Note<\/strong><\/p>\nThe values for the DNS records above – and for the rest of this guide – are done in the style that Linode\u2019s DNS Manager needs them to be in. If you\u2019re using another provider, that respective system may require the values in a different style. For example freedns.afraid.org requires the values to be written in the style found in BIND zonefiles. Thus, the above SPF record\u2019s value would need to be wrapped in double-quotes like this:
\"v=spf1 mx -all\"<\/code>. You\u2019ll need to consult your DNS provider\u2019s documentation for the exact style required.<\/div>\n<\/blockquote>\nAdd the SPF policy agent to Postfix<\/i><\/h3>\n
The Python SPF policy agent adds SPF policy-checking to Postfix. The SPF record for the sender\u2019s domain for incoming mail will be checked and, if it exists, mail will be handled accordingly. Perl has its own version, but it lacks the full capabilities of Python policy agent.<\/p>\n
\n- If you are using SpamAssassin to filter spam, you may want to edit
\/etc\/postfix-policyd-spf-python\/policyd-spf.conf<\/code> to change the HELO_reject<\/code> and Mail_From_reject<\/code> settings to False<\/code>. This edit will cause the SPF policy agent to run its tests and add a message header with the results in it while not<\/em> rejecting any messages. You may also want to make this change if you want to see the results of the checks but not actually apply them to mail processing. Otherwise, just go with the standard settings.<\/li>\n- Edit
\/etc\/postfix\/master.cf<\/code> and add the following entry at the end:\n\n- \/etc\/postfix\/master.cf<\/dt>\n
- \n
\n
\n
\n\n\n\n<\/code><\/pre>\n<\/td>\n\n<\/div>\n policyd-spf unix - n n - 0 spawn\r\n user=policyd-spf argv=\/usr\/bin\/policyd-spf<\/code><\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<\/dd>\n<\/dl>\n<\/li>\n- Open
\/etc\/postfix\/main.cf<\/code> and add this entry to increase the Postfix policy agent timeout, which will prevent Postfix from aborting the agent if transactions run a bit slowly:\n\n- \/etc\/postfix\/main.cf<\/dt>\n
- \n
\n \n \n\n\n\n<\/pre>\n<\/td>\n\n<\/div>\n policyd-<\/span>spf_time_limit<\/span> = 3600<\/span><\/code><\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<\/dd>\n<\/dl>\n<\/li>\n- Edit the
smtpd_recipient_restrictions<\/code> entry to add a check_policy_service<\/code> entry:\n\n- \/etc\/postfix\/main.cf<\/dt>\n
- \n
\n \n \n\n\n\n<\/pre>\n<\/td>\n\n<\/div>\n smtpd_recipient_restrictions<\/span> =\r\n ...\r\n reject_unauth_destination,<\/span>\r\n check_policy_service<\/span> unix:private\/policyd-spf,\r\n ...<\/code><\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<\/dd>\n<\/dl>\nMake sure to add the check_policy_service<\/code> entry after<\/strong> the reject_unauth_destination<\/code> entry to avoid having your system become an open relay. If reject_unauth_destination<\/code> is the last item in your restrictions list, add the comma after it and omit the comma at the end of thecheck_policy_service<\/code> item above.<\/li>\n- Restart Postfix:\n
<\/div>\n systemctl restart postfix\r\n<\/code><\/pre>\n<\/li>\n<\/ol>\nYou can check the operation of the policy agent by looking at raw headers on incoming email messages for the SPF results header. The header the policy agent adds to messages should look something like this:<\/p>\n <\/div>\n Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=127.0.0.1; helo=mail.example.com; envelope-from=text@example.com; receiver=tknarr@silverglass.org\r\n<\/code><\/pre>\nThis header indicates a successful check against the SPF policy of the sending domain. If you changed the policy agent settings in Step 1 to not reject mail that fails the SPF check, you may see Fail results in this header. You won\u2019t see this header on outgoing or local mail.<\/p>\n The SPF policy agent also logs to \/var\/log\/mail.log<\/code>. In the mail.log<\/code> file you\u2019ll see messages like this from the policy agent:<\/p>\n<\/div>\n Jan 7 06:24:44 arachnae policyd-spf[21065]: None; identity=helo; client-ip=127.0.0.1; helo=mail.example.com; envelope-from=test@example.com; receiver=tknarr@silverglass.org\r\nJan 7 06:24:44 arachnae policyd-spf[21065]: Pass; identity=mailfrom; client-ip=127.0.0.1; helo=mail.example.com; envelope-from=test@example.com; receiver=tknarr@silverglass.org\r\n<\/code><\/pre>\nThe first message is a check of the HELO command, in this case indicating that there wasn\u2019t any SPF information matching the HELO (which is perfectly OK). The second message is the check against the envelope From address, and indicates the address passed the check and is coming from one of the outgoing mail servers the sender\u2019s domain has said should be sending mail for that domain. There may be other statuses in the first field after the colon indicating failure, temporary or permanent errors and so on.<\/p>\n Set up DKIM<\/h2>\nDKIM involves setting up the OpenDKIM package, hooking it into Postfix, and adding DNS records.<\/p>\n
| |
| |
|
|