The Best Price for IPv4/IPv6 Lease – Any RIR & Any Geo-LocationOrder Now
Hostperl logo
Hostperl
Dedicated ServersVPS HostingShared HostingColocationBGP / ASN SetupDDoS ProtectionWordPressn8n HostingDirectus
SaaSGamingFinTechHealthcareTransportationEcommerce
About UsDatacentersCareersContactLegal & Compliance
New ZealandUSLondonSwitzerlandNetherlandsIndia
Support

Setup Postfix SPF Authentication on Ubuntu VPS: Complete Guide

By Raman Kumar

Share:

Updated on Jun 12, 2026

Setup Postfix SPF Authentication on Ubuntu VPS: Complete Guide

What is Postfix SPF Authentication

SPF (Sender Policy Framework) authentication stops email spoofing. It lets you specify which mail servers can send email on behalf of your domain.

When you setup Postfix SPF authentication on your Ubuntu VPS, receiving mail servers verify that incoming emails actually come from authorized sources. Without SPF records, your emails end up in spam folders or get rejected outright.

Business email hosting makes this especially critical—reputation matters. SPF publishes a DNS TXT record listing authorized IP addresses and mail servers. When someone sends email claiming to be from your domain, the receiving server checks this SPF record to verify authenticity.

Prerequisites for SPF Configuration

Before setting up SPF authentication, your Ubuntu VPS needs:

  • Ubuntu 20.04 or later with Postfix already installed and configured
  • Root or sudo access to your server
  • DNS control for your domain
  • Static IP address for your mail server

Your Postfix installation should already handle mail for your domain. If you're still configuring basic email hosting, our Hostperl VPS hosting includes pre-configured mail server setups. This saves hours of initial configuration work.

Check your current Postfix configuration:

sudo postconf mail_version
sudo postconf myhostname
sudo postconf mydomain

Install and Configure SPF Policy Agent

Ubuntu provides the postfix-policyd-spf-python package for SPF checking. Install it first:

sudo apt update
sudo apt install postfix-policyd-spf-python

The installation creates a new policy service that Postfix queries for SPF verification.

Configure the SPF policy settings by editing the configuration file:

sudo nano /etc/postfix-policyd-spf-python/policyd-spf.conf

Add these essential settings:

HELO_reject = False
Mail_From_reject = False
PermFail_reject = False
TempFail_Defer = True
skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1

This configuration takes a permissive approach initially. You can tighten these settings once SPF works correctly across your mail flow.

Configure Postfix Main Configuration

Edit your Postfix main configuration to enable SPF checking:

sudo nano /etc/postfix/main.cf

Add the SPF policy service to your smtpd_recipient_restrictions. If this parameter already exists, add the policy check to the existing list:

smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    check_policy_service unix:private/policyd-spf

Order matters here. The SPF check runs after basic authentication but before final delivery decisions.

Configure Postfix Master Services

Add the SPF policy service to your Postfix master configuration:

sudo nano /etc/postfix/master.cf

Append this service definition at the end of the file:

policyd-spf  unix  -       n       n       -       0       spawn
    user=policyd-spf argv=/usr/bin/policyd-spf

This creates a dedicated process for handling SPF queries. It won't impact main mail delivery performance.

Create SPF DNS Records

Now set up your DNS SPF record. This tells other mail servers which IPs can send mail for your domain.

Log into your domain's DNS management panel and create a TXT record:

Name: @ (or your domain name)
Type: TXT
Value: v=spf1 ip4:YOUR_VPS_IP a mx ~all

Replace YOUR_VPS_IP with your actual VPS IP address. The record components mean:

  • v=spf1 - SPF version identifier
  • ip4:YOUR_VPS_IP - authorizes your specific IP
  • a - authorizes the A record IP of your domain
  • mx - authorizes all MX record IPs
  • ~all - soft fail for everything else (recommend this initially)

After you've verified everything works correctly, you can change ~all to -all for stricter enforcement.

Test and Restart Services

Test your Postfix configuration for syntax errors:

sudo postfix check

If no errors appear, restart both services:

sudo systemctl restart postfix
sudo systemctl restart postfix-policyd-spf-python

Verify the SPF service is running:

sudo systemctl status postfix-policyd-spf-python

Check that Postfix is listening and the policy service is active:

sudo netstat -tlnp | grep :25
sudo postfix status

Verify SPF Authentication Works

Test your SPF configuration from another system or use online SPF testing tools. Send a test email and check your mail logs:

sudo tail -f /var/log/mail.log

Look for SPF-related log entries. Successful SPF checks show messages like:

policyd-spf[12345]: SPF pass (best guess record)

You can also test SPF record resolution directly:

dig TXT yourdomain.com

The output should show your SPF record in the answer section.

Need reliable email hosting with properly configured SPF, DKIM, and DMARC authentication? Our Hostperl VPS hosting includes pre-configured mail server setups and ongoing support to ensure your email reaches inboxes, not spam folders.

Troubleshoot Common SPF Issues

DNS propagation delays cause temporary SPF failures. Wait 24-48 hours after creating SPF records before troubleshooting delivery issues.

If emails get rejected with SPF failures, check your SPF record syntax carefully. Common mistakes include:

  • Missing spaces between SPF mechanisms
  • Incorrect IP addresses in the record
  • Multiple SPF records for the same domain

Monitor your mail logs regularly for SPF-related rejections:

sudo grep -i spf /var/log/mail.log | tail -20

If you see legitimate emails being rejected, you may need to add additional authorized IPs to your SPF record. You can also use a less restrictive qualifier.

Frequently Asked Questions

How long does SPF DNS propagation take?

SPF records typically propagate within 4-6 hours. Full global propagation can take up to 48 hours. Test from multiple locations to verify complete deployment.

Can I have multiple SPF records for one domain?

No, you should only have one SPF record per domain. Multiple SPF records cause validation failures. If you need to authorize multiple services, include all mechanisms in a single SPF record.

What's the difference between ~all and -all in SPF records?

~all means "soft fail"—mark suspicious but don't reject. -all means "hard fail"—reject emails that don't match. Start with ~all and move to -all once you've verified all legitimate mail sources are authorized.

Do I need SPF if I only receive emails on this server?

SPF authentication protects both incoming and outgoing mail. Even if you primarily receive mail, SPF helps prevent others from spoofing your domain name in outbound messages.

How do I check if my SPF record is working correctly?

Use online SPF testing tools or send test emails to major providers like Gmail. Check the email headers for SPF authentication results. They should show "SPF: PASS" for properly configured domains.

Hostperl Dedicated Servers Ad

Featured Category

All Categories

Latest Chapters