x

Using SPF to protect postfix mail server against spam

gladmin
20 March 2024

SPF is the abbreviation of Sender Policy Framework, which provides a mechanism to prevent spammers from spoofing other users. Through SPF, the mail server can check whether the IP address of the mail sender is consistent with the domain name displayed in the message header.  By setting up SPF, you can prevent others from spoofing your email address to send spam, you can also enable your mail server to block messages sent from spoofers.

Setting up SPF requires modifying both the DNS server and the mail server, by adding dns TXT records and setting the mail server's configuration file to enable SPF checking.

To add SPF record to DNS, please follow these steps:

  1. If you are using your domain registrar or virtual host provider to control your domain, then go to the corresponding DNS management page. Or if you are running your own DNS server, open and edit the zone file of your domain. 
  2. Add a new Record. (For example: in Godaddy, after you signed in, in My domain page, click on the domain you want modify, then in the new open page click Manage DNS,  then click Add.)
  3. Set the type of new record to TXT 
  4. Set the host (or name) field to @ or leave it blank.
  5. In the TXT value field,

    • For hard fail mode, which means mails from servers not listed in your domain MX records will be rejected, input the following value:

      v=spf1 MX -all

    • For soft fail mode,  which means mails from servers not listed in your domain MX records will be allowed through but be tagged as suspicious, input the following value:

      v=spf1 MX ~all

  6. If you are editing DNS zone file directly, the SPF TXT record in the zone file shoud look like this:

    @   TXT "v=spf1 MX -all"
  7. Save the settings.

Please note it may take hours for the changes to propagate on the Internet. You can check whether your SPF settings is ok by going to https://mxtoolbox.com/spf.aspx.

To enable SPF checking on your Postfix mail server, follow these steps:

  1. Install perl-Mail-Spf using yum.

    # yum install perl-Mail-SPF.noarch

  2. Download SPF perl script from http://www.openspf.org/Software:

    # wget http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.005.tar.gz 
# tar -xzf postfix-policyd-spf-perl-2.005.tar.gz
# cd postfix-policyd-spf-perl-2.005 
# cp postfix-policyd-spf-perl /usr/local/bin/

  3. Open /etc/postfix/main.cf, find the 'smtpd_recipient_restrictions=' sections, add the following into a new line:

    check_policy_service unix:private/policy

    Note: 'check_policy_service' should be added rather than replacing the current options. The edited code should look like this:

      smtpd_recipient_restrictions =     permit_mynetworks,   
            permit_sasl_authenticated,   reject_unauth_destination,   
            check_policy_service unix:private/policy,         
             .....
  4. Save and close the file.

  5. Open /etc/postfix/master.cf, add the following somewhere near the bottom of the file.

    policy     unix  -       n       n       -       -       spawn       user=nobody argv=/usr/bin/perl /usr/local/bin/postfix-policyd-spf-perl

  6. Save and close the file.  Reload postfix:

    # postfix reload

IF you want to check whether your SPF setting works, open system maillog (/var/log/maillog), where you should see logs of SPF checking. 

Category