How to Properly Configure SPF, DKIM, and DMARC for Your Mail Server (Postfix + Gmail Deliverability)
Gmail has strict requirements for accepting bulk email. If you’re running your own mail server (e.g. Postfix), follow this guide to configure everything according to Google's standards and improve your deliverability.
π§ 1. DNS Setup (A, PTR, SPF, DKIM, DMARC)
- A-record: Ensure each mail hostname resolves to the correct IP.
- PTR (rDNS): The IP address must reverse-resolve to the same domain as your HELO/EHLO hostname.
- SPF: Example record:
vindazo.be. IN TXT "v=spf1 ip4:144.76.216.108 ip4:144.76.216.109 ip4:148.251.233.101 -all" - DKIM: Generate a key using
opendkim-genkeyand publish it as a TXT record:alert._domainkey.vindazo.be. IN TXT "v=DKIM1; k=rsa; p=MIIBI...QAB" - DMARC: Start with:
_dmarc.vindazo.be. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc@vindazo.be; fo=1"
π 2. Postfix and OpenDKIM Setup
Configure Postfix to use OpenDKIM:
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:12301
non_smtpd_milters = inet:localhost:12301In /etc/opendkim.conf:
Domain vindazo.be
KeyFile /etc/opendkim/keys/vindazo.be/alert.private
Selector alert
Canonicalization relaxed/relaxed
Mode svπ 3. Testing Results from SpamAssassin
Here’s a real-world test score example:
DKIM_VALID 0.1 ✅ DKIM is valid SPF_PASS 0.001 ✅ SPF matches sender SPF_HELO_NONE -0.001 ⚠️ HELO domain missing SPF RCVD_IN_RP_SAFE 2.0 ✅ Whitelisted relay T_REMOTE_IMAGE -0.01 ⚠️ External images present
To fix SPF_HELO_NONE, publish this record for the HELO domain (e.g. alert.vindazo.be):
alert.vindazo.be. IN TXT "v=spf1 ip4:144.76.216.109 -all"π¬ 4. DKIM Validation Result
Example valid DKIM signature:
v=1; a=rsa-sha256; c=simple/simple; d=vindazo.be; s=alert;
bh=EnX/...; h=Subject:From:To:Date;
b=j7zdLO3Qk5R8C/oqBSEjY...
Validated using:
opendkim-testkey -d vindazo.be -s alert -vvv- Mail-Tester.com
π 5. Recommended DMARC Policy Progression
- Start with:
v=DMARC1; p=none; rua=mailto:dmarc@vindazo.be; fo=1 - After verifying reports, move to:
v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc@vindazo.be; fo=1 - Eventually:
v=DMARC1; p=reject; rua=mailto:dmarc@vindazo.be; fo=1
π§ 6. Useful Tools
- Mail Tester – spam score
- Google DIG Tool
- MXToolbox – SPF/DKIM checks
- DMARCian DKIM Inspector
- Google Sender Guidelines
With SPF, DKIM, and DMARC correctly configured, and PTR/HELO alignment in place, your mail server is fully compliant with Gmail's bulk sender guidelines. Always test changes using live Gmail inboxes or mail-tester, and monitor your DMARC reports regularly.
Google RequirmentsFAQ
Need help automating this setup for multiple servers? Use monitoring tools, scripts, or managed platforms to simplify operations.
Comments
Post a Comment