Install SPF

The Sender Policy Framework (SPF) is an open standard specifying a technical method to prevent sender address forgery.

Setup TXT record in your nameserver

v=spf1 mx ip4: ip4: ~all

mx … only allows hosts that are listed in the mx entry to send messages

replace with your real IP.

~all is for softfail (deliver, but marked)

-all is for hardfail (message not delivered)

?all is neutral (does nothing)

Test with Everything should be green.

Install SPF Policy Agent for Postfix

apt update && apt -y dist-upgrade && apt -y install postfix-policyd-spf-perl

Configure Postfix

vi /etc/postfix/
policy-spf  unix  -       n       n       -       -       spawn
     user=nobody argv=/usr/sbin/postfix-policyd-spf-perl
vi /etc/postfix/
policyd-spf_time_limit = 3600
smtpd_recipient_restrictions = permit_mynetworks,
  check_recipient_access mysql:/etc/postfix/,
  check_recipient_access mysql:/etc/postfix/,
  check_policy_service unix:private/policy-spf
service postfix restart

Check configuration

Send a mail from Gmail to yourself and

tail -f /var/log/mail.log

You should see

Policy action=PREPEND Received-SPF: pass


Don’t forget to configure a DMARC RR!

See also