DMARC is extra credit; but do configure SPF!
SPF declares who is legitimately allowed to send email purporting to be
from your domain. DMARC gives systems receiving emails which do not
conform to the stated SPF policy instructions on what to do / how to
notify you.
You're welcome to look at the SPF published for my domain with "dig
m3047.net TXT" (it's the record that starts with "v=spf1.."). It's simple,
it's my two fixed addresses plus any other MX, if any, configured for the
domain. Be sure to put "-all" at the end.
Somebody else asked whether your domain is wildcarded. If the emails
you're receiving as bounces are associated with accounts / aliases which
do not exist on your system(s) then getting rid of the wildcarding will
quiet things down a lot. I wrote it, so yeah I'm biased, but take a look
at https://github.com/m3047/trualias for another take on aliases which can
be made up on the fly without wildcarding the domain, and rejecting at
RCPT TO (as opposed to bouncing after the fact and producing more
backscatter).
On Tue, 25 Nov 2025, Jaroslaw Rafa via Postfix-users wrote:
That assumes all the servers that are currently sending bounces check DMARC
and will reject messages that fail DMARC. There's no guarantee they do.
--
Fred Morris, internet plumber
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
