PepperTools Guide
Tech & Servers

Set up email correctly: SPF, DKIM and DMARC for beginners (Part 3 of 3)

Part 3 of the series „Your own server – from zero to secure": set up SPF, DKIM and DMARC so your emails arrive instead of landing in spam. With DNS records, DKIM signing via OpenDKIM on your own server, the right order (p=none first) and free test tools – all ready to copy.

Set up email correctly: SPF, DKIM and DMARC for beginners (Part 3 of 3)

Set up email correctly: SPF, DKIM and DMARC for beginners (Part 3 of 3)

Series „Your own server – from zero to secure" · 3 parts:

  1. Set up & secure a Debian vServer
  2. Install & configure Froxlor
  3. Set up email correctly: SPF, DKIM & DMARCYou are here

This is Part 3 and concludes the series. It assumes a server with a mail server as built in Part 1 and Part 2.

SPF, DKIM und DMARC für Einsteiger

Contents


At a glance: SPF, DKIM and DMARC are three entries in your domain's DNS. They prove that an email really comes from you. Without them, your messages today often land in spam – or are rejected entirely. Since 2024 Google and Yahoo require this authentication, Microsoft since 2025. The setup takes 20–30 minutes.

If you send emails via your own server (e.g. invoices or contact-form messages), it's not enough to „just" run a mail server. You also have to prove to the receiving servers that the mail is genuine. There are three building blocks for that. We set up all three – beginner-friendly and ready to copy.

Prerequisites

  • A server with a mail server (Postfix/Dovecot), e.g. set up via Froxlor from Part 2.
  • Access to your domain's DNS management – the area at the domain provider (or in Froxlor, if you manage DNS there) where you can create „TXT records".
  • The IP address of your server.

Important – correct order: Set up SPF and DKIM first and wait until both are active (at least a few hours) before you switch DMARC to enforcing. And always start DMARC with the gentle setting p=none.

What are SPF, DKIM and DMARC?

Three simple images:

  • SPF is the guest list. It defines which servers may send emails in your name. If the sending server isn't on the list, the mail is suspicious.
  • DKIM is the digital signature. Every outgoing mail is cryptographically signed. The recipient checks whether it's genuine and wasn't altered in transit.
  • DMARC is the rulebook. It tells the recipient what should happen if SPF or DKIM fail: let through, move to spam or reject. And it sends you reports.

All three are technically just TXT records in DNS – except the DKIM key, which we generate on the server. A very good, detailed explanation is offered by the guide from Mailvergleich.de.

Step 1: Set up SPF

SPF is a single TXT record that you create in your domain's DNS. Go to the DNS management and create a new record:

Type:   TXT
Name:   @            (stands for the main domain)
Value:  v=spf1 a mx ip4:SERVER-IP -all

Replace SERVER-IP with your server's IP. What the parts mean:

  • v=spf1 – version identifier (always at the start).
  • a mx – servers the domain's A and MX records point to may send.
  • ip4:SERVER-IP – this specific IP may send.
  • -allall others may not send (strict variant). If you're unsure or use additional services (newsletter, CRM), start with the softer variant ~all and switch to -all later.

Only one SPF record! A domain may have exactly one SPF TXT record. If you use further services, add their include: entries into this one record, e.g. v=spf1 a mx include:_spf.example.com -all.

Step 2: Set up DKIM (sign on your own server)

Unlike with a rented mailbox, you must generate DKIM on your own server yourself. We use OpenDKIM for this, which hooks into Postfix and signs every outgoing mail.

2.1 Install OpenDKIM:

sudo apt install -y opendkim opendkim-tools

2.2 Generate the key (replace your-domain.com):

sudo mkdir -p /etc/opendkim/keys/your-domain.com
sudo opendkim-genkey -b 2048 -d your-domain.com -D /etc/opendkim/keys/your-domain.com -s mail -v
sudo chown -R opendkim:opendkim /etc/opendkim

2.3 Configure OpenDKIM. Open the main configuration:

sudo nano /etc/opendkim.conf

Add at the end:

Canonicalization   relaxed/simple
Mode               sv
Socket             inet:8891@localhost
KeyTable           /etc/opendkim/KeyTable
SigningTable       /etc/opendkim/SigningTable
ExternalIgnoreList /etc/opendkim/TrustedHosts
InternalHosts      /etc/opendkim/TrustedHosts

Create the three tables:

echo "mail._domainkey.your-domain.com your-domain.com:mail:/etc/opendkim/keys/your-domain.com/mail.private" | sudo tee /etc/opendkim/KeyTable
echo "*@your-domain.com mail._domainkey.your-domain.com" | sudo tee /etc/opendkim/SigningTable
printf "127.0.0.1\nlocalhost\nyour-domain.com\n" | sudo tee /etc/opendkim/TrustedHosts

2.4 Connect OpenDKIM with Postfix. Open the Postfix configuration:

sudo nano /etc/postfix/main.cf

Add at the end:

milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

Restart the services:

sudo systemctl restart opendkim postfix

2.5 Publish the DKIM DNS record. OpenDKIM has written your public key into a file. Display it:

sudo cat /etc/opendkim/keys/your-domain.com/mail.txt

You'll see a long value in the form v=DKIM1; k=rsa; p=.... Use it to create a TXT record in DNS:

Type:   TXT
Name:   mail._domainkey
Value:  v=DKIM1; k=rsa; p=MIIBI...   (the complete p= value from the file)

An illustrated step-by-step help for DKIM is also at saschafix.de.

Step 3: Set up DMARC

DMARC connects SPF and DKIM and sets the rule. Create another TXT record in DNS:

Type:   TXT
Name:   _dmarc
Value:  v=DMARC1; p=none; rua=mailto:dmarc@your-domain.com; fo=1

Meaning:

  • p=noneobserve, but block nothing. This is always how you start, to see whether everything runs cleanly without endangering legitimate mail.
  • rua=mailto:dmarc@your-domain.com – recipients send daily reports to this address. Create this mailbox.
  • fo=1 – more detailed failure reports.

Tighten step by step: When after one to two weeks the reports show that your real mails pass SPF/DKIM, increase the strictness – first to p=quarantine (suspicious mails to spam), later to p=reject (reject suspicious mails):

v=DMARC1; p=quarantine; rua=mailto:dmarc@your-domain.com; fo=1

Never start with p=reject! Otherwise you risk legitimate mails (e.g. from newsletter or CRM services) being rejected too.

Step 4: Check and test everything

DNS changes take some time (often minutes, sometimes up to 24 hours). Then check your setup with free tools:

  • MXToolbox – checks SPF, DKIM and DMARC records individually (choose „SPF Record Lookup", „DKIM Lookup", „DMARC Lookup" at the top).
  • mail-tester.com – send a real test mail to the displayed address; the goal is a score of at least 8/10.
  • Check the Gmail header: Send yourself a mail to a Gmail account, open it, click the three dots → „Show original". There SPF, DKIM and DMARC should each show „PASS".

You can additionally test DKIM directly on the server:

sudo opendkim-testkey -d your-domain.com -s mail -vvv

If „key OK" appears, the key is correctly published.

Common errors and solutions

ProblemCauseSolution
Mails still land in spamDNS not propagated yetwait a few hours, check with MXToolbox
SPF „PermError"more than one SPF recordmerge all entries into one SPF record
DKIM „fail"wrong/incomplete p= valuecopy the complete value from mail.txt exactly (without line breaks)
DMARC has no effecttypo in the namethe record must be exactly _dmarc
No DMARC reportsrua mailbox doesn't existcreate the address dmarc@your-domain.com

Checklist

  • [ ] SPF TXT record present (exactly one), ends with -all or ~all
  • [ ] OpenDKIM installed, connected with Postfix, services restarted
  • [ ] DKIM TXT record (mail._domainkey) published, opendkim-testkey reports „key OK"
  • [ ] DMARC TXT record (_dmarc) with p=none active
  • [ ] mail-tester.com shows ≥ 8/10
  • [ ] Gmail „Show original": SPF, DKIM, DMARC = PASS
  • [ ] After one to two weeks, DMARC raised to quarantine/reject

Frequently asked questions (FAQ)

Isn't SPF alone enough? No. Google, Yahoo and Microsoft require at least SPF or DKIM, but for best protection and deliverability you should set up all three.

What's the difference between ~all and -all? ~all („soft fail") only marks unlisted senders as suspicious, -all („hard fail") strictly rejects them. When in doubt, start with ~all and switch to -all later.

Are DMARC reports privacy-relevant? The aggregated reports (rua) contain no mail content, but statistics on IP addresses and authentication results. Forensic reports (ruf) can contain more – many therefore skip ruf for GDPR reasons.

Do I have to maintain this regularly? Once set up, it runs. Look into the DMARC reports at the beginning and increase the strictness gradually.

Conclusion

In three steps you've made your emails secure: SPF defines who may send, DKIM signs every message, DMARC sets the rule and delivers reports. The order matters – first SPF and DKIM, then DMARC, and always start DMARC with p=none. After the test at mail-tester.com you know your mails arrive.

With that the series is complete: in Part 1 you set up a secure server, in Part 2 you installed Froxlor, and here you secured email sending.

You'd rather not run this yourself but want a ready-made solution or custom development? PepperTools supports you – just get in touch via the contact form.

Sources

As of June 2026. Commands and the requirements of the major mail providers can change – their official notices and the documentation of the software used are authoritative.

Handle invoices more easily

Easy Invoice combines quotes, invoices and customer management in the cloud.

Try Easy Invoice

Language versions