Tran Nghi's Site  - Make notes and share experience

Postfix – Config SPF, DKIM and DMARC

This post is also available in: English

Below is some articles that I have referred to config SPF and DKIM on my self-host mail server.

1) SPF

The first article that I found: “Authenticating with SPF: -all or ~all”
And more detail: “Configure SPF and DKIM With Postfix on Debian 8”

Below is my work – I was setting up for a sub-domain of assuming that you’re already have configured the DNS record for your mail server. like this:

lcl A record – points to public mail ip
lcl MX record – mail handled by
mail CNAME record – is an alias of

So now, I am setting up my SPF like this:

lcl    TXT record  – has value as “v=spf1 a mx -all”


lcl   TXT record  – has value as “v=spf1 a mx -all”
(each items in the value is just optional, you’re having a specific ip address, then no need the include option, or you can have multi include options as you want:
– has value as “v=spf1 a mx -all”


See the explanation on the above links:

As if you’re using the Exchange Mail Online Service 365, you’re properly has a TXT record like this – for my root domain (ie:

@    TXT record  – has value as “v=spf1 -all”



I am currently setting my DMARC as below

_dmarc.lcl   TXT record  – has value as “v=DMARC1;p=quarantine;sp=quarantine;adkim=r;aspf=r”

Or if you’re using Exchange Mail Online Service 365, it shall be like this – for my root domain (ie:

_dmarc  TXT record  – has value as “v=DMARC1; p=none;”

Find the explanation


3) DKIM – OpenDKIM

I was referring some article like this:
But actually, this article has made things going to work:

My work:

[email protected]:# apt install opendkim opendkim-tools

[email protected]:# vi /etc/opendkim.conf

# I prefer to use a wildcard as suggestion
# Domain
  Domain * 
  KeyFile /etc/postfix/dkim.key
  Selector mail
  SOCKET inet:[email protected]

[email protected]:# vi /etc/default/opendkim

# Command-line options specified here will override the contents of
# /etc/opendkim.conf. See opendkim(8) for a complete list of options.
# Uncomment to specify an alternate socket
# Note that setting this will override any Socket value in opendkim.conf
# default:
# SOCKET="local:/var/run/opendkim/opendkim.sock"
# listen on all interfaces on port 54321:
# SOCKET="inet:54321"
# listen on loopback on port 12345:
# SOCKET="inet:[email protected]"
# listen on on port 12345:
# SOCKET="inet:[email protected]"
# Below was added by Nghia Le for DKIM Configuration
  SOCKET="inet:[email protected]"

[email protected]:# vi /etc/postfix/

# Below was added by Nghia Le for DKIM Configuration
  milter_default_action = accept
  milter_protocol = 2
  smtpd_milters = inet:localhost:8891
  non_smtpd_milters = inet:localhost:8891

#Key generation for dkim-milter and its setup with DNS
[email protected]:# opendkim-genkey -t -s mail -d

[email protected]:# cp mail.private /etc/postfix/dkim.key
[email protected]:# chown opendkim:opendkim /etc/postfix/dkim.key

[email protected]:# cat mail.txt
mail._domainkey IN TXT ( "v=DKIM1; k=rsa; t=y; " "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCS+uGXm55i2E24CuSCyvLurVkGhTxjgtmXMFvmSXaduBSjLz8wqxgfCo/aBRG8fIqKpoTZy6Wc/QRd29xE0zKMxY2QX+oFJYjDco7fLuL1UTQv3OhhH/dr4RxUrf0V+XPsxlmUS/gDNl1wsRZyGQaogTmjgfLGJzrz901GOcIxXwIDAQAB" ) ; ----- DKIM key mail for
#You properly have to add this TXT record to your domain

[email protected]:# systemctl start opendkim.service
[email protected]:# systemctl restart postfix.service