Install SPF

The Sender Policy Framework (SPF) is an open standard specifying a technical method to prevent sender address forgery.

Setup TXT record in your nameserver

v=spf1 mx ip4:255.255.255.255 ip4:255.255.255.254 ~all

mx … only allows hosts that are listed in the mx entry to send messages

replace 255.255.255.255 with your real IP.

~all is for softfail (deliver, but marked)

-all is for hardfail (message not delivered)

?all is neutral (does nothing)

Test with mxtoolbox.com. Everything should be green.

Install SPF Policy Agent for Postfix

apt update && apt -y dist-upgrade && apt -y install postfix-policyd-spf-perl

Configure Postfix

vi /etc/postfix/master.cf
policy-spf  unix  -       n       n       -       -       spawn
     user=nobody argv=/usr/sbin/postfix-policyd-spf-perl
vi /etc/postfix/main.cf
policyd-spf_time_limit = 3600
.
.
.
smtpd_recipient_restrictions = permit_mynetworks,
  permit_sasl_authenticated,
  reject_unauth_destination,
  check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
  reject_rbl_client zen.spamhaus.org,
  check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf,
  check_policy_service unix:private/policy-spf
service postfix restart

Check configuration

Send a mail from Gmail to yourself and

tail -f /var/log/mail.log

You should see

Policy action=PREPEND Received-SPF: pass

DMARC

Don’t forget to configure a DMARC RR!

See also