Connect with us

Hi, what are you looking for?


Set up SPF and DKIM with CentOS / RHEL Mail Server Postfix

Set up SPF and DKIM with CentOS / RHEL Mail Server Postfix

After completion of the first and second part, we have a working Postfix SMTP server and a Dovecot IMAP server. We can send and receive emails with our desktop email client. Although I made the right MX, A and PTR records, my email was marked as spam in Gmail and Outlook messages. Therefore, this article examines how the delivery of e-mail in the recipient’s mailbox can be improved by configuring SPF and DKIM on the CentOS/RHEL server.

What are SPF and DKIM records?

SPF and DKIM are two types of TXT records in the DNS that can help prevent identity theft and ensure that legitimate email is delivered to the recipient’s mailbox instead of the spam folder. If your domain is abusing email spoofing, your email will probably end up in the recipient’s junk mail folder if the recipient has not added you to his or her address book.

The Sender Policy Framework (SPF) defines which hosts or IP addresses may send email on behalf of a domain. You can only allow your own mail server or the server of your ISP to send e-mail for your domain.

DKIM (DomainKeys Identified Mail) uses a private key to add signatures to emails sent from your domain. SMTP reception servers verify the signature with the corresponding public key published in your domain’s DNS records.

Creating an SPF record in the DNS

Create a new TXT record in the DNS management interface as shown below.

TXT @ v=spf1 mx ~all

Set up SPF and DKIM with CentOS / RHEL Mail Server Postfix


  • TXT indicates that it is a TXT data record.
  • Enter @ in the name field to display the name of the top level domain.
  • v=spf1 indicates that it is an SPF record and the version of the SPF record is SPF1.
  • mx means that all hosts listed in MX records are allowed to send mail for your domain, and all other hosts are not allowed to send mail.
  • ~All indicates that mail from your domain should only come from the hosts specified in the SPF record. Letters sent by other hosts are marked as false. Possible alternatives + all, – all, ?all, but they are rarely used.

-All this means that emails from banned hosts must be rejected and never reach the recipient’s inbox or junk mail. I’ve seen it used on, but in general we don’t need this kind of strict guidelines.

Note that some DNS managers require you to enclose the SPF record in double quotes, as shown below.

TXT @ v=spf1 mx ~all

To check if your SPF mail is distributed on the public internet, you can use the dig program on your Linux machine, as shown below:

dig txt

The txt option tells Dig that we only want to retrieve TXT records.

Set up SPF and DKIM with CentOS / RHEL Mail Server Postfix

You can also use an online SPF validator such as to see which hosts can send email for your domain and to debug your SPF entry if an error occurs. dmarcian SPF geodesist can help you check the syntax of the SPF entry.

Implementation of the SPFsoftware agent

We also need to ask our SMTP Postfix server to check the SPF input for incoming mail to detect spoofed mail. First install the necessary packages:

sudo dnf install python3-pip
sudo -Hip3 install pyspf py3dns pypolicyd-spf

Then add a user to the policy.

sudo adduser policyd-spf –user-group –no-create-home -s /bin/false

Edit the main configuration file of the postfix process.

sudo nano /etc/postfix/

Add the following lines to the end of the file that tell Postfix to run the SPF policy daemon when this Policyd-spf is running as a user of Policyd-spf.

polyvid-spf unicex – n – 0 Caviar
user=polyvid-spf argv=/usr/local/bin/policyd-spf

Save the file and close it. Then edit the main postfix configuration file.

sudo nano /etc/postfix/

Add the following lines at the end of the folder. The first line specifies the setting of the postfix policy agent timeout (for DNS query). The following rules limit incoming e-mails by checking the FPS’s entries.

policyd-spf_time_limit = 3600
smtpd_recipient_restrictions =
check_policy_service unix:private/policyd-spf

Save the file and close it. Then restart the postfix.

sudo systemctl Restart Postfix

The next time you receive an e-mail from a domain with an SPF record, you can see the results of the SPF check in the header of the raw e-mail. The following header indicates the sender who sent the email from the authorized host.

I’ve got the FPS: Skip (the sender of the FPS is authorised).


Two common parts of the software that can perform DKIM signing and verification under Linux are OpenDKIM and Amavis. OpenDKIM is not part of the CentOS 8/RHEL 8 repository, so we will use Amavis. Amavis (Mail Virus Scanner) is a high-quality interface between the Mail Agent (MTA) and content filters. Usually used for

  • Virus analysis with ClamAV integration
  • Spam detection by SpamAssassin integration
  • DKIM signature and verification

In this tutorial we focus on DKIM signing and verification. Virus and spam analysis is covered in one of the following lessons. Keep in mind that Amavis needs enough RAM to work. If your server has only 1 GB of RAM, you may need to upgrade to 2 GB.

Updated in 08. March 2020: From now on, OpenDKIM is included in the EPEL repository. If you prefer to use OpenDKIM for singing and checking DKIM, please read the following article.

If you prefer to use Amavis, please read the following content.

Install a new system on CentOS 8/RHEL 8.

Amavisd-neu is written in Perl. We need to enable EPEL (additional packages for Enterprise Linux) and the CodeReady Linux Builder repository on RHEL 8 to install some Perl dependencies for Amavisd-new.

Install sudo dnf epel-release

sudo subo-manager repos –enable=codeready-builder-for-rhel-8-x86_64-rpms

On CentOS 8, you can enable EPEL (additional packages for Enterprise Linux) and the PowerTools repository to install Perl calculations for Amavisd-new.

sudo dnf installed epel-release
sudo dnf-config manager – with PowerTools settings

Then install a surprising new package.

The installation of sudo dnf is remarkably new.

Start with Amavis.

sudo systemctl start amavisd

Activate automatic start during charging.

sudo systemctl enable amavisd

Check his condition:

Amavisd system status

Taking samples:

Amavisd.service – Amavisd-new is the interface between the MTA and the content control devices.
Downloaded: downloaded (/usr/lib/system/amavisd.service; enabled; vendor default: disabled)
Active: active (in progress) since Sun 2020-01-19 06:18:14 EST; 40 years ago
Main PID: 10827 (/usr/sbin/amavi)
Tasks : 3 (Limit: 5047)
memory : 8.8M
CGroup: /system.slice/amavisd.service
├─10827 /usr/sbin/amavisd (master)
├─10831 /usr/sbin/amavisd (virgin child)
└─10832 /usr/sbin/amavisd (virgin child).

Amavisd listens, as you can see in the example :

sudo netstat -lnpt | grep amavisd

Set up SPF and DKIM with CentOS / RHEL Mail Server Postfix

And he works like an Amavis user.

Creation of Amavis

The main configuration file is /etc/amavisd/amavisd.conf.  Open it:

ship-nano / etc. / Amavisd. / Amavisd.conf.

First find the next line. (In the Nano word processor, you can press Ctrl+W to search for a string).

$idomain = “”;

Change to your main domain name.

World = ;

Then find the next line.

# $myhostname = ‘’ #

Remove the comment icon (#) and change the hostname to your real hostname, as shown below The hostname $myhostname is used by Amavisd-new to identify the host and it is important to keep it correct for ESMTP EHLO, loop definition, etc.

$myhostname = ‘’;

By default, both the DKIM signature and the DKIM verification options are enabled, as indicated in the following two lines, which is normal

$enable_dkim_verification = 1; # enable DKIM signature verification
$enable_dkim_signing = 1; # load DKIM signature code, keys defined by dkim_key

Next, we can add the following line that defines the DKIM selector and the DKIM key for that specific domain name.

dkim_key(‘’, ‘20200119’, ‘/var/spool/amavisd/dkim/’) ;

You can use any name for your DKIM selector, but I found it useful to use the current date (January 19, 2020) as DKIM selector. You can find your personal key at /var/spool/amavised/dkim/ Then we have to add the following lines.

@dkim_signature_options_bysender_maps = ( {
# ‘d’ default for the domain with author/origin address,
# ‘s’ default for each selector proposed by the corresponding key.

# d explicitly directs the third party to subscribe to foreign (hosted) domains => { { d =>, a => rsa-sha256, ttl => 10*24*3600 }.

# catchall defaults
‘. => { a => ‘rsa-sha256’, c => ‘relaxed/simple’, ttl => 30*24*3600 ‘,
‘.} ) ;

This tells Amavis that emails sent from must be signed with a DKIM key associated with If you have two domains, you can use the DKIM key of one of the domains to sign emails from both domains. However, it is recommended to use a special DKIM key for each domain. Save the file and close it.

Then we need to generate a private DKIM key. Run the following command to create the directory /var/spool/amavisd/dkim/ to save the keys

µdir ship /var/spool/amavisd/kim/

Generate a private key for your domain.

sudo amavisd genrsa /var/spool/amavisd/dkim/ 2048

Show me the public key.

sudo amavisd -c /etc/amavisd/amavisd.conf showkeys

The line after parameter p is the public key.

Set up SPF and DKIM with CentOS / RHEL Mail Server Postfix

Create a TXT item in the DNS administrator, enter 20200119._ domain in the name field. If you are using another DKIM selector, replace 20200119 with the real DKIM selector.

Then go back to the terminal window, copy everything in parentheses and paste it into the value field of the DNS record. It is necessary to remove all double quotes and line breaks in the value field. If you don’t remove them, the main test will most likely fail.

Set up SPF and DKIM with CentOS / RHEL Mail Server Postfix

After saving the changes. Check the TXT record with this command.

dig TXT

You can now run the following command to check if the DKIM DNS entry is correct.

sudo amavisd -c /etc/amavisd/amavisd.conf Tests

If the DNS input is correct, the test is passed.

Test#1 : => Transfer

Use a special port for sending email

By default, the Amavis 10024 eavesdropping port is designed to scan incoming email. It is a good idea to use another port, such as 10026, to send emails from authenticated users. Edit the main file of the Amavis configuration.

ship-nano / etc. / Amavisd. / Amavisd.conf.

Find the next line.

$inet_socket_port = 10024 ;

Add a # symbol to comment on it.

#$inet_socket_port = 10024 ;

Then take the note in the next line so that Amavisd also listens on port 10026.

$inet_socket_port = [10024.10026] ;

With a small scroll down you will find the next line that defines the ORIGINATION policy of port 10026.

$interface_policy{‘10026’} = ‘ORIGIN’;

You will then find the following rules that determine the POLICY OF THE ORIGIN.

$policy_bank{‘ORIGINATING’} = { # mail allegedly submitted by our smtp customer
=> 1, # state that the mail was submitted by our smtp customer
allow_disclaimers => 1, # activate disclaimers if available,
# notifies the malware administrator
virus_admin_maps => [[email protected]$mydomain],
spam_admin_maps => [[email protected]$mydomain],
warningbadhsender => 1,
# sends to the smtpd service, which uses the DKIM signature service
forward_method => ‘smtp :[]:10027’,
# forced conversion of ATM to 7 bits (eg. for DKIM signing)
smtpd_discard_ehlo_keywords => [‘8BITMIME’],
bypass_banned_checks_maps => [1], # allows sending any file name and type
termination_dsn_on_notify_success => 0, # NOTIFY=SUCCESS Do not delete option
} ;

In the above lines you can see that Amavis by default forwards messages to the SMTPD service provided by the DKIM signature service. Since we will use Amavis to sign emails from authenticated users, we need to comment on the forward_method guideline.

# forward_method => ‘smtp : []:10027’,

Save the file and close it. Then we have to tell SELinux that Amavis can use gate 10026. Install the next packet that gives the seed command.

Install sudo dnf policycoreutils-python-utils

Then set port type 10026 to amavisd_recv_port_t so Amavis can listen to port 10026.

port -m -t amavisd_recv_port_t -p tcp 10026

Reboot Amavis

sudo systemctl restart amavisd

Check its status to make sure that the restart has taken place.

Amavisd system status

Postfix SMTP server integration with Amavis

Amavisd-neu works like an SMTP proxy. E-mails are sent via SMTP, processed and sent back to the ATM via a new SMTP connection.

Edit the main postfix configuration file.

sudo nano /etc/postfix/

Add the following line to the end of the file. This requires Postfix to enable content filtering by sending each incoming email message to Amavis listeners at

content_filter = smtp-amavis : []:10024

Save the file and close it. Then edit the file.

sudo nano /etc/postfix/

Add the following lines to the end of the file. This forces Postfix to use a special SMTP client component called smtp-amavis to deliver email messages to Amavis. Please provide at least one space (tab or space) for each -o.  In postfixed configurations, a preceding space means that this string is an extension of the previous string.

smtp-amavis unix – – n – 2 smtp
-o syslog_name=postfix/amavis
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disabled_dns_lookups=yes
-o max_use=20.

Then add the following lines to the end of the file. This requires Postfix to run an additional smtpd daemon that listens at to retrieve Amavis emails. inet n – n – smtpd-o syslog_name=postfix/10025-o content_filter=-o mynetworks_style=host-o mynetworks= local_recipient_maps=-o relay_recipient_maps=-o strict_rfc821_envelopes=yeso-o smtp_tls_security_level=not-o smtpd_tls_security_level=no-o smtpd_restriction_classes=-o smtpd_delay_reject=no-o smtpd_client_restrictions=permit_mynetworks,reject-o smtpd_helo_restrictions=-o smtpd_sender_restrictions=-o smtpd_recipient_restrictions=permit_mynetworks,Reject : o smtpd_end_of_data_restrictions=-o smtpd_error_sleep_time=0-o smtpd_soft_error_limit=1001-o smtpd_hard_error_limit=1000-o smtpd_error_sleep_time=0-o smtpd_error_sleep_time.o smtpd_soft_error_limit=1001-o smtpd_hard_error_limit=1000-o smtpd_client_connection_count_limit=0-o smtpd_client_connection_rate_limit=0-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings

Then add the following line to the shipping service.

-o content_filter=smtp-amavis : []:10026

Here we go:

enteret n – y – – – smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_wrappermode=not
-o smtpd_sasl_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,
-o smtpd_recipient_restrictions=permit_mynetworks,allow_sasl_authenticated,reject
-o smtpd_sasl_type=pigeon fan
-o smtpd_sasl_path=private/auth
-o content_filter=smtp-amavis :[]:10026

In this way, emails from authorized users are forwarded to Amavis for the DKIM signature. If you have activated the smtps service for Microsoft Outlook users, you must also add this line to the smtps service.

smtps inet n – y – – – smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_restrictions=permit_mynetworks,allow_sasl_authenticated,reject
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o content_filter=smtp-amavis :[]:10026

Save the file and close it. Restart the postfix to make the changes take effect.

sudo systemctl Restart Postfix

Check its status to make sure that the restart has taken place.

Status of the postfix system

SPF and DKIM studies

You can now send a test mail from your mail server to your Gmail account to see if SPF and DKIM were successful. If you click View original in the drop-down menu to the right of an open Gmail email message, the authentication results are displayed.

Set up SPF and DKIM with CentOS / RHEL Mail Server Postfix

If your message is not signed and DKIM verification fails, you can check the postfix log (/var/log/maillog) to see what is wrong with your configuration. Your mail server also performs SPF and DKIM checks for the sender’s domain. You can see the results in the e-mail headers. Below is a Gmail SPF and DKIM verification of the sender.

I’ve got the FPS: Pass (mailfrom) identity= mailfrom; client-ip=2607:f8b0:4864:20::c2d;; [email protected]; recipient=
Authentication results:;
dkim=pas (2048-bit key; unprotected) [email protected] header.b=XWMRd2co;

E-mail Evaluation and post testing

You can now go to You will see a unique e-mail address. Send an e-mail from your domain to this address and check your score. As you can see, I have an excellent result.

Set up SPF and DKIM with CentOS / RHEL Mail Server Postfix can only show you the sender’s note. There is another service called GlockApps that allows you to check if your email is in the recipient’s inbox or junk folder or if it is rejected altogether. It supports many popular email providers such as Gmail, Outlook, Hotmail, YahooMail, iCloud Mail and more.

Set up SPF and DKIM with CentOS / RHEL Mail Server Postfix

Microsoft Mailboxes (,

It seems that Microsoft uses an internal blacklist that blocks many legitimate IP addresses. If your email is rejected by the viewer or the Hotmail program, you will need to send a form with information about the sender. Your email will then be accepted by outlook/hotmail, but can still be marked as spam. In my test, the e-mail was stuck in a Gmail mailbox. In my mail, however, it is still marked as spam, even though both SPF and DKIM have been bypassed.

What should you do if your email is still marked as spam?

In this article I have a few more tips for you: How can you prevent your letters from being marked as spam?

Next step

In the fifth part we will see how we can create a DMARC record to protect your domain against email spoofing. As always, if you find this message useful, sign up for our free newsletter to receive other useful articles, or follow us on Twitter or our Facebook page.

Evaluate this training manual.

On second thought: 1 Average : 5]postfix dkim centos,postfix spf centos 7,smtp server centos postfix,centos mail server with web interface,ubuntu postfix spf dkim dmarc,postfix not signing dkim,postfix dmarc,sendmail dkim ubuntu 18

You May Also Like


The latest round of MITRE ATT&CK evaluations proved yet again that Microsoft customers can trust they are fully protected even in the face of...


As the robot process automation (RPA) market becomes more and more dynamic, more and more companies are trying to integrate RPA into their business...


On Thursday, April 23rd, 2020, Canonical Ltd, the makers of Ubuntu Linux distribution officially released the long-awaited Ubuntu 20.04 version code-named “Focal Fossa”, it...


One of the most discussed new features in Ubuntu 20.04 is the dark mode. You can install a dark theme in any version of...