PostMTA Security Hardening: SPF DKIM DMARC vs PowerMTA Configuration in 2026
Email authentication is not optional anymore. Google and Yahoo both require SPF, DKIM, and DMARC for any sender above 5,000 daily messages. PostMTA ships with full support for all three — and the configuration is dramatically simpler than legacy commercial MTAs.
Why 2026 Is Different
January 2024 brought mandatory email authentication requirements for bulk senders. But 2026 has raised the bar further:
- BIMI (Brand Indicators for Message Identification) is now required for brand visibility in Gmail
- ARC (Authenticated Received Chain) handling is essential for mailing lists
- MTA-STS and TLS Reporting are prerequisites for enterprise deliverability
- Google Postmaster Tools now shows granular complaint rates per campaign
Without proper authentication, your emails land in spam or do not get delivered at all.
PostMTA vs PowerMTA: Authentication Configuration
PowerMTA requires manual DKIM key generation, external SPF macro configuration, and separate DMARC alignment settings. The configuration spans multiple files.
PostMTA handles authentication natively with automated key rotation:
-- PostMTA: Full authentication stack in one config
dkim_sign {
domain 'postmta.com'
selector 'mail'
path '/var/db/postmta/dkim/'
header_canon relaxed/relaxed
body_canon relaxed/simple
rotation_days = 90
}
spf_allow {
domains = ['postmta.com', 'postmta.com']
}
dmarc {
domain = 'postmta.com'
policy = 'none' -- Start with monitoring, upgrade to 'quarantine' then 'reject'
rua = 'mailto:dmarc@postmta.com'
ruf = 'mailto:dmarc@postmta.com'
}
MTA Comparison: Authentication Support
| Feature | PostMTA | PowerMTA | Postfix | Exim |
|---|---|---|---|---|
| DKIM Signing | Native | External | Via opendkim | Via exim-dkim |
| SPF Enforcement | Native | Macro-based | policyd-spf | ACL-based |
| DMARC Alignment | Native | Manual | Via opendmarc | Manual |
| MTA-STS | Native | No | Postfix 3.8+ | No |
| ARC Handling | Native | No | No | No |
| TLS 1.3 | Native | Yes | Yes | Yes |
| Automated Key Rotation | Yes | No | No | No |
SPF Configuration
SPF verifies that sending servers are authorized by your domain. In PostMTA, the spf_allow directive in your listening stanza:
listen 0.0.0.0:25 {
...
spf_allow true
}
Your DNS SPF record specifies authorized servers:
v=spf1 ip4:YOUR_SERVER_IP include:spf.postmta.com -all
The -all (hard fail) is standard for transactional email. Marketing lists often use ~all (soft fail) during migration periods.
DKIM Signing
PostMTA generates DKIM keys automatically. In your configuration:
dkim_sign {
domain 'postmta.com'
selector 'mail'
path '/var/db/postmta/dkim/'
header_canon relaxed/relaxed
body_canon relaxed/simple
}
Generate the public key in DNS:
mail._domainkey.postmta.com IN TXT (
"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA..."
)
DMARC: From Baseline to Strict
DMARC ties SPF and DKIM together with policy enforcement:
_dmarc.postmta.com IN TXT "v=DMARC1; p=none; rua=mailto:dmarc@postmta.com"
Start with p=none (monitor only) for 2-4 weeks. Move to p=quarantine when DKIM/SPF pass rates exceed 98%. Move to p=reject when confident.
MTA-STS for TLS Enforcement
MTA-STS forces TLS encryption for incoming mail:
_mta-sts.postmta.com IN TXT "v=STSv1; id=20260101000000Z"
This prevents downgrade attacks where hackers intercept email by blocking STARTTLS.
TLS Reporting
Add ruf parameter to your DMARC record for failure reports:
_dmarc.postmta.com IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@postmta.com; ruf=mailto:dmarc@postmta.com; fo=1"
PostMTA managed service includes automatic MTA-STS deployment and daily DMARC report analysis.
This configuration guide is brought to you by the PostMTA engineering team — enterprise email infrastructure built on PostMTA. Learn more at postmta.com.
Top comments (0)