This is Part 3 of the tutorial series on building a mail server on Ubuntu 20.04. In Part One, we installed Postfix as the SMTP server. Then, in Part Two, we set up IMAP with Dovecot and enabled TLS encryption. Now in this part, we’re going to configure SPF and DKIM, two crucial DNS records that help increase the trustworthiness of your emails — and reduce the chances of them being marked as spam.
Why SPF and DKIM Matter
Both SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) are TXT records in your domain’s DNS settings. They verify that the email was sent from an authorized server and hasn’t been tampered with during delivery.
When you send an email, the recipient’s server will:
- Check if your SPF record allows your IP to send on behalf of your domain.
- Validate the digital signature in your DKIM record.
If both checks pass, your email is more likely to land in the inbox — not the spam folder.
Step 1: Install Postfix SPF Policy Agent
We’ll begin by installing a policy agent to help Postfix check incoming emails for valid SPF records.
sudo apt -y install postfix-policyd-spf-python
Then edit the Postfix master configuration:
sudo nano /etc/postfix/master.cf
Add this block to the bottom:
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
Now update the main Postfix configuration:
sudo nano /etc/postfix/main.cf
Append the following:
policyd-spf_time_limit = 3600
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
check_policy_service unix:private/policyd-spf
Restart Postfix:
sudo systemctl restart postfix
Step 2: Install and Configure OpenDKIM
Install OpenDKIM:
sudo apt -y install opendkim opendkim-tools
Add Postfix to the OpenDKIM group:
sudo gpasswd -a postfix opendkim
Edit the main OpenDKIM config:
sudo nano /etc/opendkim.conf
Add the following to the end:
Canonicalization simple
Mode sv
SubDomains no
AutoRestart yes
AutoRestartRate 10/1M
Background yes
DNSTimeout 5
SignatureAlgorithm rsa-sha256
KeyTable refile:/etc/opendkim/key.table
SigningTable refile:/etc/opendkim/signing.table
ExternalIgnoreList /etc/opendkim/trusted.hosts
InternalHosts /etc/opendkim/trusted.hosts
Set Up DKIM Files
Create directory for your domain (replace yourdomain.com):
sudo mkdir -p /etc/opendkim/keys/yourdomain.com
Create signing table:
sudo nano /etc/opendkim/signing.table
Add:
*@yourdomain.com default._domainkey.yourdomain.com
Create key table:
sudo nano /etc/opendkim/key.table
Add:
default._domainkey.yourdomain.com yourdomain.com:default:/etc/opendkim/keys/yourdomain.com/default.private
Create trusted hosts list:
sudo nano /etc/opendkim/trusted.hosts
Add:
127.0.0.1
localhost
*.yourdomain.com
Generate the DKIM Keys
sudo opendkim-genkey -b 2048 -d yourdomain.com -D /etc/opendkim/keys/yourdomain.com -s default -v
This will generate:
default.private– your private signing keydefault.txt– your public DNS key
Display your public key:
sudo cat /etc/opendkim/keys/yourdomain.com/default.txt
Copy everything between the parentheses () in the TXT record, remove all double quotes (") and line breaks, then convert it into one clean line. You’ll need this for your DNS settings.
Step 3: Add DNS Records for SPF and DKIM
Go to your domain DNS panel (e.g. Cloudflare) and add the following:
DKIM Record (TXT)
- Type: TXT
- Name:
default._domainkey - Content: [Paste your cleaned-up DKIM public key]
SPF Record (TXT)
- Type: TXT
- Name:
@ - Value:
v=spf1 mx ~all
This SPF record allows only servers listed in your domain’s MX records to send mail on your behalf.
Step 4: Set File Ownership for OpenDKIM
Set correct ownership:
sudo chown -R opendkim:opendkim /etc/opendkim
sudo chmod go-rw /etc/opendkim/keys
Step 5: Test DKIM Key and DNS
Verify that your DKIM setup is working:
sudo opendkim-testkey -d yourdomain.com -s default -vvv
You should see:
key OK
Note: The message key not secure means DNSSEC is not enabled. That’s normal and not an issue for most setups.
Step 6: Link OpenDKIM with Postfix
Create a socket directory:
sudo mkdir /var/spool/postfix/opendkim
sudo chown opendkim:postfix /var/spool/postfix/opendkim
Edit OpenDKIM config:
sudo nano /etc/opendkim.conf
Find the line with:
Socket local:/run/opendkim/opendkim.sock
Change to:
Socket local:/var/spool/postfix/opendkim/opendkim.sock
Then edit:
sudo nano /etc/default/opendkim
Update this line:
SOCKET="local:/var/spool/postfix/opendkim/opendkim.sock"
Edit Postfix configuration:
sudo nano /etc/postfix/main.cf
Add to the bottom:
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters
Restart services:
sudo systemctl restart opendkim postfix
Step 7: Test Your Mail Server with SPF & DKIM
Use mail-tester.com:
- Go to the site and copy the temporary email address.
- Open Thunderbird or any mail client.
- Send a test email to that address from your domain.
- Click “Then check your score” on the website.
Check your report — it will tell you whether SPF and DKIM are working correctly.
What’s Next?
Once your SPF and DKIM records are verified and valid, your emails should gain more trust from receiving servers.
But there’s still one more important step: DMARC.
It adds an additional layer of authentication and helps protect your domain from spoofing.
👉 Up next: Part 4 – How to Create a DMARC Record for Your Mail Server on Ubuntu
Let’s keep improving your mail server’s reputation!
Leave a Comment