Last week I wrote a post about how to set up SPF and DKIM for Postfix on Ubuntu, today I want to show how to set up DMARC for Postfix on Ubuntu.

DMARC extends two existing email authentication mechanisms, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).

Therefore if not already done, in order to use DMARC verification on postfix, you first need to set up SPF and DKIM on your postfix server, because DMARC depends on the SPF- and DKIM verification results to take actions regarding —> reject, quarantine or allow the delivery of the email message to the recipients inbox.

Install OpenDMARC

OpenDMARC is an open source implementation of the Domain-based Message Authentication, Reporting and Conformance (DMARC) specification.

For how to set up DMARC verification for Postfix on Ubuntu, all credit goes again to Xiao Guoan from, which post below I used myself to set up OpenDMARC on my Ubuntu server.

Set Up OpenDMARC with Postfix on Ubuntu to Block Spam/Email Spoofing

$ sudo apt install opendmarc

If you were asked to configure a database for OpenDMARC with dbconfig-common, you can choose No. The database is just used in case you want to generate DMARC reports for other mailbox providers.

To enable auto-start at boot we enter the following command.

$ sudo systemctl enable opendmarc

Now we need to edit the main configuration file /etc/opendmarc.conf

$ sudo nano /etc/opendmarc.conf

Find the following line

# AuthservID name

and replace it with

AuthservID OpenDMARC

Sets the authserv-id to use when generating the Authentication-Results: header field after verifying a message. The default is to use the name of the MTA processing the message. If the string HOSTNAME is provided, the name of the host running the filter (as returned by the gethostname(3) function) will be used.

So if checking the header and logs, you will see immediately the verification is done by the OpenDMARC daemon.

Next add the following line. Replace the hostname with your real Postfix FQDN. This tells OpenDMARC to trust authentication result with in the ID. This is needed when you have OpenDKIM running to do DKIM verification.


If the Postfix FQDN isn’t included in the TrustedAuthservIDs, or you have a typo in the FQDN, then OpenDMARC will ignore the Authentication-Results header generated by OpenDKIM, and you will find the following error message in the mail log /var/log/mail.log

opendmarc[1133]: A436A205C9 ignoring Authentication-Results at 1 from

Find the line

# RejectFailures false

By default, OpenDMARC won’t reject emails that fail DMARC check, even if the domain’s policy is set to p=reject. If you prefer to reject emails that fail DMARC check when the domain’s policy is set to p=reject, then uncomment this line and change false to true.

RejectFailures true

You may want OpenDMARC to ignore SMTP clients that are successfully authenticated via SMTP AUTH. For example desktop/mobile mail clients that submit outgoing emails over port 587. In this case, add the following line at the end of this file.

IgnoreAuthenticatedClients true

Add the following line at the end of this file.

RequiredHeaders true

This will reject emails that don’t conform to email header standards as described in RFC5322. For example, if an incoming email doesn’t have From: header or date: header, it will be rejected. A From: field from which no domain name could be extracted will also be rejected.

It’s recommended to also add the following line at the end of this file. This will make OpenDMARC perform a fallback SPF check itself when it can find no SPF results in the message header.

SPFSelfValidate true

OpenDMARC is implemented as a milter (mail filter). Postfix can talk to milter applications via Unix socket. The default socket file used by OpenDMARC is /var/run/opendmarc/opendmarc.sock. But the Postfix SMTP daemon shipped with Ubuntu runs in chroot jail, which means the SMTP daemon resolves all filenames relative to the Postfix queue directory (/var/spool/postfix). So we need to change the socket file used by OpenDMARC.

Find the following line.

Socket local:/var/run/opendmarc/opendmarc.sock

and replace it with

Socket local:/var/spool/postfix/opendmarc/opendmarc.sock

Create a directory to hold the OpenDMARC socket file and change the ownership so that opendmarc user and opendmarc group can access it.

$ sudo mkdir -p /var/spool/postfix/opendmarc
$ sudo chown opendmarc:opendmarc /var/spool/postfix/opendmarc -R

Change permission to 750 to restrict access, so users not in group opendmarc can’t access this directory.

sudo chmod 750 /var/spool/postfix/opendmarc/ -R

Add user postfix to group opendmarc.

$ sudo adduser postfix opendmarc

Finally restart OpenDMARC

$ sudo systemctl restart opendmarc

Configure Postfix for OpenDMARC

Edit the main configuration file /etc/

$ sudo nano /etc/

As we already configured OpenDKIM in the last post I mentioned, you should still have the following lines below.

milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters

Now you just need to add the OpenDMARC socket file so that Postfix can talk to OpenDMARC. (Make sure it’s after the OpenDKIM socket.)

milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:opendkim/opendkim.sock, local:opendmarc/opendmarc.sock
non_smtpd_milters = $smtpd_milters

Restart Postfix

$ sudo systemctl restart postfix

Testing OpenDMARC Verification

To test if OpenDMARC works on your postfix server, you can send an email from another email account and for which sending domain SPF and DKIM is configured to an account on your postfix server.

If it works correctly you should see the DMARC verification results in the E-Mail header like below

Authentication-Results: OpenDMARC; dmarc=pass (p=reject dis=none)

Further in the postfix server logs under /var/log/mail.log you should see something like below

opendmarc[25606]: 8C7621800DC: pass


Set Up OpenDMARC with Postfix on Ubuntu to Block Spam/Email Spoofing

Hands-on: implementing SPF, DKIM and DMARC in Postfix