DEV Community

Dhiraj Chatpar
Dhiraj Chatpar

Posted on

KumoMTA Security Hardening: SPF DKIM DMARC in 2026

#email #smtp #mta

KumoMTA Security Hardening: SPF DKIM DMARC in 2026

Email authentication is not optional anymore. Google and Yahoo both require SPF, DKIM, and DMARC for any sender above 5,000 daily messages. KumoMTA ships with full support for all three.

Why 2026 Is Different

January 2024 brought mandatory email authentication requirements for bulk senders. But 2026 has raised the bar further:

  • BIMI (Brand Indicators for Message Identification) is now required for brand visibility in Gmail
  • ARC (Authenticated Received Chain) handling is essential for mailing lists
  • MTA-STS and TLS Reporting are prerequisites for enterprise deliverability
  • Google Postmaster Tools now shows granular complaint rates per campaign

Without proper authentication, your emails land in spam or do not get delivered at all.

SPF Configuration

SPF verifies that sending servers are authorized by your domain. In KumoMTA, the spf_allow directive in your listening stanza:

listen 0.0.0.0:25 {
  ...
  spf_allow true
}
Enter fullscreen mode Exit fullscreen mode

Your DNS SPF record specifies authorized servers:

v=spf1 ip4:YOUR_SERVER_IP include:spf.postmta.com -all
Enter fullscreen mode Exit fullscreen mode

The -all (hard fail) is standard for transactional email. Marketing lists often use ~all (soft fail) during migration periods.

DKIM Signing

KumoMTA generates DKIM keys automatically. In your configuration:

dkim_sign {
  domain 'postmta.com'
  selector 'mail'
  path '/var/db/kumomta/dkim/'
  header_canon relaxed/relaxed
  body_canon relaxed/simple
}
Enter fullscreen mode Exit fullscreen mode

Generate the public key in DNS:

mail._domainkey.postmta.com IN TXT (
  "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA..."
)
Enter fullscreen mode Exit fullscreen mode

DMARC: From Baseline to Strict

DMARC ties SPF and DKIM together with policy enforcement:

_dmarc.postmta.com IN TXT "v=DMARC1; p=none; rua=mailto:dmarc@postmta.com"
Enter fullscreen mode Exit fullscreen mode

Start with p=none (monitor only) for 2-4 weeks. Move to p=quarantine when DKIM/SPF pass rates exceed 98%. Move to p=reject when confident.

MTA-STS for TLS Enforcement

MTA-STS forces TLS encryption for incoming mail:

_mta-sts.postmta.com IN TXT "v=STSv1; id=20260101000000Z"
Enter fullscreen mode Exit fullscreen mode

This prevents downgrade attacks where hackers intercept email by blocking STARTTLS.

TLS Reporting

Add ruf parameter to your DMARC record for failure reports:

_dmarc.postmta.com IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@postmta.com; ruf=mailto:dmarc@postmta.com; fo=1"
Enter fullscreen mode Exit fullscreen mode

PostMTA managed service includes automatic MTA-STS deployment and daily DMARC report analysis.

Top comments (0)