You spent hours setting up your Linux mail server. You send a test email. It vanishes into spam. Here's what's actually happening — and how to fix it permanently.
The real reason emails end up in spam
It's almost never your content. Modern spam filters care far more about authentication than keywords.
When Gmail receives an email from your server, it asks three questions before it even reads the subject line:
Is this server authorised to send mail for this domain? (SPF)
Has this message been cryptographically signed by the domain owner? (DKIM)
What should I do if either of those checks fails? (DMARC)
If your server can't answer any of these questions correctly, your email gets treated as suspicious — regardless of what it says.
The four things your mail server must have
- SPF — Sender Policy Framework
SPF is a DNS TXT record that lists which IP addresses are allowed to send email for your domain.
Add this to your DNS (replace with your actual server IP):
v=spf1 ip4:YOUR_SERVER_IP ~all
The ~all at the end means: "mail from any other IP is suspicious but still accept it." Once you're confident your setup is correct, switch to -all for a hard reject.
Verify it works:
bashdig TXT yourdomain.com +short
You should see your SPF record in the output.
- DKIM — DomainKeys Identified Mail
DKIM cryptographically signs every outgoing email. The recipient can verify the signature using a public key you publish in DNS. If the email was modified in transit, the signature breaks.
Install OpenDKIM on Ubuntu/Debian:
bashsudo apt install opendkim opendkim-tools -y
Generate a 2048-bit key pair:
bashsudo opendkim-genkey -b 2048 -d yourdomain.com \
-D /etc/opendkim/keys/yourdomain.com -s mail -v
This creates two files:
mail.private — your private signing key (keep this secret)
mail.txt — the public key to publish in DNS
Publish the public key as a DNS TXT record named mail._domainkey.
Then connect OpenDKIM to Postfix by adding to /etc/postfix/main.cf:
smtpd_milters = inet:localhost:12301
non_smtpd_milters = inet:localhost:12301
Verify it works:
bashsudo opendkim-testkey -d yourdomain.com -s mail -vvv
Should output: key OK
- DMARC — Domain-based Message Authentication
DMARC ties SPF and DKIM together. It tells receiving servers what to do when authentication fails — and sends you daily reports showing who is sending mail as your domain.
Add this DNS TXT record on _dmarc:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; fo=1
Start with p=none (monitor only, no action). After reviewing your reports for a week or two, move to p=quarantine, then eventually p=reject.
Never jump straight to p=reject. You might accidentally block legitimate mail you forgot about.
- TLS — Encrypt connections in transit
Without TLS, email travels across the internet in plain text. With it, every server-to-server connection is encrypted.
Get a free certificate with Let's Encrypt:
bashsudo certbot certonly --standalone -d mail.yourdomain.com
Then add to /etc/postfix/main.cf:
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.yourdomain.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.yourdomain.com/privkey.pem
smtpd_tls_security_level = may
smtp_tls_security_level = may
Verify it works:
bashopenssl s_client -connect mail.yourdomain.com:25 -starttls smtp
The one test that tells you everything
Go to mail-tester.com, send an email to the address they give you, and check your score.
A properly configured server should score 9/10 or 10/10. Each point deducted tells you exactly what's missing. It's the fastest feedback loop available.
Quick checklist before you call your server "production-ready"
PTR record set (reverse DNS from IP → your mail hostname)
A record: mail.yourdomain.com → your server IP
MX record: yourdomain.com → mail.yourdomain.com
SPF TXT record on @
DKIM TXT record on mail._domainkey
DMARC TXT record on _dmarc
Valid TLS certificate, not expired
IP not on any major blacklists (check: mxtoolbox.com/blacklists.aspx)
mail-tester.com score 9+/10
Want the full setup guide?
I wrote a 65-page book that covers all of this in detail — including troubleshooting tables, a pre-launch checklist, and everything from installation to ongoing maintenance.
[Postfix Email Security: SPF, DKIM, DMARC & TLS for Linux Beginners]
Available on Gumroad → https://sablequinn.gumroad.com/l/postfix-email-security
Top comments (0)