Introduction

Email authentication prevents spammers from forging your domain. This guide explains DKIM, SPF, DMARC and shows how to set them up on a VPS mail server.

1. SPF (Sender Policy Framework)

Publishes which IPs are authorised to send email for your domain. TXT record: v=spf1 mx ip4:YOUR_VPS_IP -all.

2. DKIM (DomainKeys Identified Mail)

Signs outgoing mail with a private key; public key in DNS. Install OpenDKIM, generate key pair, publish selector record.

3. DMARC (Domain‑based Message Authentication)

Policy on how receiving servers should handle messages that fail SPF/DKIM. Record: _dmarc TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com".

4. Configure SPF in Postfix

Add check_policy_service unix:private/policy-spf in /etc/postfix/master.cf.

5. Configure DKIM Signing in Postfix

Edit /etc/opendkim.conf and set SigningTable, KeyTable. Restart opendkim and postfix.

6. Test with Online Tools

Use dkimvalidator.com or mxtoolbox.com to verify your records.

7. DMARC Reporting

Set rua to receive aggregate reports; ruf for forensic reports.

8. DMARC Policy from None to Reject

Start with p=none, monitor reports, then move to p=quarantine, then p=reject.

9. BIMI (Brand Indicators)

Optional: add your logo to authenticated emails (requires DMARC enforcement).

10. SPF Hard Fail vs Soft Fail

Use -all (hard fail) once all legitimate senders are listed; start with ~all.

11. Handling Third‑Party Senders (Mailchimp, SendGrid)

Include their SPF mechanisms (include:) and ensure they DKIM‑sign with your domain.

12. DKIM Key Rotation

Create a second selector, publish new key, update signing table, then retire old key.

13. DMARC Aggregate Report Analysis

Use tools like dmarcian or parse reports yourself to identify missing sources.

14. Postfix Configuration for Outbound

Ensure your hostname matches the domain used in HELO/EHLO to avoid SPF failure.

15. Authenticated Received Chain (ARC)

For forwarded email, consider ARC to preserve authentication results.

16. TLS for MTA (STARTTLS)

Require TLS for outbound delivery with smtp_tls_security_level = encrypt.

17. Checking DMARC Compliance

Send test emails to check-auth@verifier.port25.com.

18. Mail Server Blocklists

Good email authentication reduces the chance of being blacklisted.

19. Hostxpeed and Reverse DNS

Ensure your VPS PTR record matches the sending domain – request from support.

20. Automating DMARC Reports

Use a cron job to fetch and summarise DMARC reports, alert on failures.

Conclusion

Implement SPF, DKIM, and DMARC to protect your domain and improve email deliverability.