Postfix SPF check

From iRedMail
Jump to: navigation, search



  • This tutorial is contributed by iRedMail user, please use it on your own.
  • iRedMail has SPF check enabled with Amavisd-new and perl module perl-Mail-SPF after queue, so you don't need this if after-queue SPF verification is ok for you.


Using the Python version of SPF Policy Server for Postfix it is possible to implement checking of SPF of incoming messages in Postfix, with immediate reject or pass (if desired). This article will describe how to achieve this feature.


  • There is also a Perl version of the software, but it is not recommended because it does not scale well and should only be used for small scale servers.
  • This tutorial was written for a CentOS-based system. Please adapt it to fit your distro and configuration.
  • It is assumed that the user has good knowledge of the technologies used therein.


  • Download the latest version of pypolicyd-spf from the project's home page.
  • Unpack it and install it by using the instructions in the README file.


Set-up your /etc/python-policyd-spf/policyd-spf.conf to fit your needs.

At the beginning, make sure you set:

File: /etc/python-policyd-spf/policyd-spf.conf
defaultSeedOnly = 0
so no messages are actually rejected by policyd-SPF. You will thus be able to check the effect of your config without losing important messages.

For example, a quite good configuration for fighting spam (but not losing legitimate messages) would contain

File: /etc/python-policyd-spf/policyd-spf.conf
HELO_reject = Fail
Mail_From_reject = Fail
PermError_reject = False
TempError_Defer = False
skip_addresses =,::ffff:,::1//128

The meaning of each parameter is explained in the README file and in the man page (man 5 policyd-spf.conf).

Enable SPF check in Postfix

Edit your file and add at the end:

File: /etc/postfix/
# SPF check
spfpolicy unix  -       n       n       -       -       spawn
    user=nobody argv=/usr/bin/python /usr/bin/policyd-spf

Edit your file and add the following line in smtpd_recipient_restrictions, towards the end, but before the main policyd service (usually running on port 10031):

File: /etc/postfix/
smtpd_recipient_restrictions =
   check_policy_service unix:private/spfpolicy,

Restart postfix:

/etc/init.d/postfix restart

Final notes

  • Verify the effect of your changes by checking the maillog.
  • When you are happy with a set of config parameters for pypolicyd-spf, be sure to enable actual SPF enforcing:
File: /etc/python-policyd-spf/policyd-spf.conf
defaultSeedOnly = 1

--Maxie ro 20:13, 15 February 2011 (UTC)

Personal tools