Keeping mail trusted¶

Running a mail server is mostly a matter of being trusted: by the servers receiving the mail, who decide whether it lands in the inbox or the spam folder, and by the rest of the internet, which will blocklist a server that misbehaves. The stack and the relay-exposure pages explain the mechanisms; these are the procedures to set them up and keep them right.

They build in dependency order. The server itself comes first, with the relay closed and transport encrypted, then the authenticated path for users, then the three DNS records that let other servers verify the domain’s mail, and finally spam filtering for what comes in.

Server and transport

Harden Postfix
Configure TLS for mail transport
Set up SASL authentication

Sender authentication

Set up SPF
Set up DKIM
Set up DMARC

Spam filtering

Set up spam filtering with Rspamd