Email authentication standards — SPF, DKIM, and DMARC — are the primary tools used by receiving mail servers to verify that messages claiming to come from your domain actually originate from your authorized infrastructure. Without them, your outbound mail is far more likely to land in spam folders or be rejected outright. On RHEL 8, SPF and DMARC are purely DNS-based, while DKIM signing requires the opendkim package integrated with Postfix as a milter. This tutorial walks through configuring all three layers for example.com.

Prerequisites

  • RHEL 8 server with Postfix installed and sending mail from example.com
  • DNS control over your domain (ability to add TXT records)
  • Root or sudo access on the mail server
  • EPEL repository enabled (dnf install -y epel-release) for opendkim
  • The server’s public IP address noted for the SPF record

Step 1 — Publish an SPF Record in DNS

SPF is a DNS TXT record that tells receiving servers which IP addresses are authorized to send mail for your domain. No server-side software is required — this is a pure DNS change.

Add the following TXT record for example.com in your DNS control panel or zone file. Replace 203.0.113.10 with your actual mail server IP.

example.com.  IN  TXT  "v=spf1 mx ip4:203.0.113.10 ~all"

The mx mechanism authorizes the IP addresses already listed in your domain’s MX records. The ~all (softfail) tag instructs receivers to accept but mark messages from unlisted sources; use -all (hardfail) once you are confident all sending sources are enumerated. Verify the record after DNS propagation.

dig TXT example.com +short

Step 2 — Install OpenDKIM

Install opendkim from the EPEL repository.

dnf install -y opendkim opendkim-tools

OpenDKIM operates as a milter (mail filter) that hooks into Postfix. It signs outbound messages with your private key and verifies signatures on inbound messages.

Step 3 — Generate DKIM Keys

Generate a 2048-bit RSA key pair for the selector named default under domain example.com. The -t flag marks the key as a test key during initial deployment.

mkdir -p /etc/opendkim/keys/example.com
opendkim-genkey -t -s default -d example.com -D /etc/opendkim/keys/example.com/
chown -R opendkim:opendkim /etc/opendkim/keys/
chmod 600 /etc/opendkim/keys/example.com/default.private

This creates default.private (the signing key — keep this secret) and default.txt (the DNS record to publish).

cat /etc/opendkim/keys/example.com/default.txt

Add the displayed TXT record to your DNS zone under the name default._domainkey.example.com. It will look similar to: "v=DKIM1; k=rsa; p=MIIBIjANBgkqh...". Once DNS propagates, remove the -t (test) flag by regenerating without it or by editing the DNS record.

Step 4 — Configure OpenDKIM

Edit /etc/opendkim.conf to set the key table, signing table, and trusted hosts.

Mode                    sv
PidFile                 /run/opendkim/opendkim.pid
Syslog                  yes
SyslogSuccess           yes
LogWhy                  yes
Canonicalization        relaxed/simple
Domain                  example.com
Selector                default
KeyFile                 /etc/opendkim/keys/example.com/default.private
KeyTable                /etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable
ExternalIgnoreList      /etc/opendkim/TrustedHosts
InternalHosts           /etc/opendkim/TrustedHosts
Socket                  inet:[email protected]

Create the supporting files.

# /etc/opendkim/KeyTable
default._domainkey.example.com example.com:default:/etc/opendkim/keys/example.com/default.private

# /etc/opendkim/SigningTable
*@example.com default._domainkey.example.com

# /etc/opendkim/TrustedHosts
127.0.0.1
::1
example.com

Enable and start OpenDKIM.

systemctl enable --now opendkim

Step 5 — Integrate OpenDKIM with Postfix

Add the milter configuration to /etc/postfix/main.cf so Postfix passes outbound mail through OpenDKIM for signing.

milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = inet:127.0.0.1:8891
systemctl reload postfix

Send a test message and inspect the headers with your mail client or an online tool to confirm the DKIM-Signature header is present.

Step 6 — Publish a DMARC Record

DMARC builds on SPF and DKIM by telling receiving servers what to do when either check fails. Add a TXT record for _dmarc.example.com.

_dmarc.example.com.  IN  TXT  "v=DMARC1; p=quarantine; pct=100; rua=mailto:[email protected]; ruf=mailto:[email protected]; sp=quarantine; adkim=r; aspf=r"

Start with p=none (monitor mode) to collect reports without affecting delivery, then graduate to p=quarantine and eventually p=reject once you are confident all legitimate sending sources pass both SPF and DKIM. Verify with:

dig TXT _dmarc.example.com +short

To get a comprehensive deliverability score and verify all three mechanisms are working together, send a test message to mail-tester.com using the address they provide and review the report.

Conclusion

Your RHEL 8 mail server now signs outbound messages with DKIM, publishes an SPF record limiting authorized senders, and declares a DMARC policy instructing receivers how to handle failures. Together these three mechanisms dramatically improve deliverability and protect your domain against spoofing and phishing abuse. Monitor the aggregate DMARC reports sent to your rua address to detect any legitimate sending sources you may have missed.

Next steps: How to Enable TLS on Postfix with Let’s Encrypt on RHEL 8, How to Set Up SpamAssassin with Postfix on RHEL 8, and How to Configure Postfix with a Relay Host on RHEL 8.