Enabling SPF checks in Postfix:-

SPF is an e-mail anti-forgery technology the enables domain owners to list, in the Domain Name Service (DNS), authorized sources of mail from their domains. It enables mail receivers to reject mail that does not come from authorized sources.

Package installation:-

Install the following package in the server.

#For python based systems
sudo apt-get install postfix-policyd-spf-python
# For Perl based systems
sudo apt-get install postfix-policyd-spf-perl

Integrating with postfix:-

There are a number of changes the need to be made to integrate SPF checking with Postfix. In this guide, integration of the Python programs is described.

Add the following line into the postfix main.conf file.

policy-spf_time_limit = 3600s

Add this section to /etc/postfix/master.cf for the Python script

policy-spf unix – n n – – spawn
user=nobody argv=/usr/bin/policyd-spf

For the perl script

policy-spf unix – n n – – spawn
user=nobody argv=/usr/sbin/postfix-policyd-spf-perl

Finally add the following to the main.cf file.

smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,check_policy_service unix:private/policy-spf

Now reload the postfix configuration using the startup script.

sudo service postfix reload

Now check the logs and verify that it is working fine.

Domainkeys Identified Mail:-

DomainKeys Identified Mail (DKIM) is a method for E-mail authentication, allowing a person who receives email to verify that the message actually comes from the domain that it claims to have come from. The need for this type of authentication arises because spam often has forged headers.

DKIM uses public-key cryptography to allow the sender to electronically sign legitimate emails in a way that can be verified by recipients.


You can install opendkim from the traditional ubuntu repositories using the aptitude command.

sudo aptitude install opendkim opendkim-tools

Important: For 12.04 Precise you must install opendkim from the precise backports. Note that backports are enabled only by using /precise-backports on a given package, so this will not affect any other packages you have installed.

sudo aptitude install opendkim/precise-backports
sudo aptitude install opendkim-tools/precise-backports


Mainly the opendkim configuration consist of two files.

1. /etc/opendkim.conf

2. /etc/default/opendkim

You can edit the configuration file /etc/opendkim.conf as per your requirements. The following configuration parameters in the opendkim.conf needs to be modified as per your domain name / hostname.

Domain yourdomain.com
KeyFile /etc/opendkim/keys/dkimkey.private ## Path to private key file
Selector dkimkey ## the name of selector
Socket inet:9891@localhost ## The DKIM listening socket
SenderHeaders Sender,From

Note: Usually, OpenDKIM tries to match the contents of only the From field in the SigningTable.  With the configuration SenderHeaders           Sender,From, it will use the Sender field instead, if it exists.

Also, you can modify some of the general settings as follows:-

AutoRestart yes
Background yes
Canonicalization relaxed/relaxed
DNSTimeout 5
Mode sv
SignatureAlgorithm rsa-sha256
SubDomains no
X-Header no

Actually, /etc/opendkim.conf is the most important configuration file for opendkim. This file provides the milter with required information about selector and the signing keys.

Next important configuration file is /etc/default/opendkim. This file is used to connect milter to the MTA postfix. Generally there is no additional configurations required in this file.

Now we need to tell out postfix mail server about the milter and connect the postfix MTA to milter. Edit the postfix mail configuration file (/etc/postfix/main.cf) as follows.

milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:9891
non_smtpd_milters = inet:localhost:9891

If you are already using one milter, add additional milters as follows

milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:9891, inet:localhost:9892
non_smtpd_milters = inet:localhost:9891, inet:localhost:9892

Generating keys for DKIM milter:-

The utility called opendkim-genkey available in opendkim-tools to generate the key pairs.

# opendkim-genkey -t -s <selector name> -d <domain name>

This will generate two files. One is the private key file with name <selector name>.private and <selector name>.txt which is the DNS record containing public key.

The -s argument supplies the selector (in our case “mail”), the -d argument supplies the domain, and the -t argument says that we are running DKIM in test mode.

Copy the key file to the correct location. You have already added the key file location in the /etc/opendkim.conf file. SO check the configuration file and move the private key file to corresponding location.

cp -p <selector name>.private /etc/opendkim/keys/

Now create the DNS using the public key from the .txt file.

<selector name>._domainkey.domain.com. IN TXT “v=DKIM1; g=*; k=rsa; p=PpYHdE2tdfsdfbnbnpvL1Tk2dDYv0pF28/f 5MxU83x/0bsnsdFGsdfvaz1IghjUThGs/6bm5QIDAQAB” ; —– DKIM mail for domain.com

Now start the DKIM service and check the mail.log file.

# sudo service opendkim start
# grep -i dkim /var/log/mail.log

Instead of starting the dkim service using startup script, you can start it directly as follows:-

dkim-filter -x /etc/dkim-filter.conf

Hope you enjoy reading. Thanks :)