How to set up SPF checking in Postfix
Configure Postfix to check SPF records and fight e-mail spoofing.
By. Jacob
Edited: 2023-05-21 14:50
Postfix does not typically check SPF records automatically, so this is something you need to manually configure – luckily it takes very few steps to do so on an Ubuntu server.
policyd-spf is a Phython-based service for checking SPF records. You will need to install it before you carry on to configure your Postfix server.
1. Install the policyd-spf package:
sudo apt install postfix-policyd-spf-python
Note. There is also a perl package, postfix-policyd-spf-perl, if you prefer, but in this tutorial I will use the Python package.
2. Edit your master.cf file. E.g:
nano /etc/postfix/master.cf
Then add the following two lines at the bottom:
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
3. Edit the /etc/postfix/main.cf file.
You can go ahead and add policyd-spf_time_limit = 3600 – this option controls the timeout for policyd process.
This edit will depend on your existing configuration; your smtpd_recipient_restrictions needs to have check_policy_service added to it, so it will probably end up looking like this:
policyd-spf_time_limit = 3600
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
check_policy_service unix:private/policyd-spf
4. Restart Postfix to make your changes go into effect.
systemctl restart postfix
You should now be done with the configuration.
Verify that your setup is working
You can verify that Postfix is checking SPF records correctly by examining your /var/log/mail.log file. E.g. grep is perfect for searching through log files:
grep -R "Received-SPF" /var/log/
This should result in something like:
May 19 11:32:17 ip-172-31-1-1 policyd-spf[113343]: prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=x.x.x.x; helo=example.com; [email protected]; receiver=<UNKNOWN>
What is SPF?
An SPF record is a txt entry in the DNS configuration of a domain name. It is used to verify that a given SMTP server is authorized to send e-mail originating from the domain name.
When someone sends an e-mail to your server, the domain part of their e-mail address can be looked up in the DNS, then, if the server that was used to send the e-mail is not permitted to send e-mail originating from the domain, the e-mail should be considered "spoofed" and rejected – and this is regardless whether this was a mistake or not.
Mistakes are probably rare these days, and if someone has misconfigured their e-mail servers SPF records, then it is not your problem. As of the writing of this, I still see incorrectly configured SPF records from time to time; when this happens, you can add an exception to the rules, but in general I would not do this, as it would leave you open to simple spoofing attacks.
Your Postfix server can be configured to check SPF records automatically. Configuring this is a small effort, and it will make it much harder for scammers to spoof e-mail messages.
In a not-so-distant-past, spammers would be able to send email on behalf of any e-mail address because there was no checks in place to verify that the sending server was in fact allowed to send e-mail on behalf of a given user or domain name.
Checking DNS txt records
It is possible to verify the SPF records of a domain name with the following command from a terminal:
dig example.com txt
Tell us what you think: