Contents
DMARC, SPF, and PTR configuration form the authentication foundation that determines whether ISPs accept, reject, or classify your messages as spam. PowerMTA handles the DKIM signing configuration component of DMARC alignment — but the full authentication stack requires correct DNS records, PTR configuration on all sending IPs, and a DMARC policy that progresses from monitoring to enforcement. This reference covers the complete authentication configuration for production PowerMTA deployments.
DMARC Policy Configuration and Progression
# DMARC record format — published at _dmarc.yourdomain.com TXT # Minimum (monitoring): "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com" # Phase 2 (partial quarantine): "v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc-fail@yourdomain.com" # Phase 3 (full enforcement): "v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; sp=reject; adkim=s; aspf=s" # Tags explained: # p= — policy for main domain (none/quarantine/reject) # sp= — policy for subdomains # pct= — percentage of messages policy applies to (use for graduated rollout) # rua= — aggregate report destination (XML reports, daily) # ruf= — failure report destination (per-message, use with care — privacy) # adkim=s/r — DKIM alignment strict (s) or relaxed (r) # aspf=s/r — SPF alignment strict (s) or relaxed (r)
The progression from p=none to p=reject should be data-driven, not time-driven. Move to p=quarantine only after aggregate reports show 98%+ of legitimate mail is DMARC-passing. Move to p=reject only when you have verified that all sending systems — including third-party services, marketing platforms, and any legacy systems — are correctly authenticated.
DMARC Alignment in PowerMTA
DMARC alignment is the requirement that the domain authenticated by SPF or DKIM matches the From: header domain. In PowerMTA, DKIM alignment is the primary mechanism — PowerMTA's dkim-sign directive must use the same domain as the From: address in messages.
# Correct alignment example: # From: newsletter@yourdomain.com # PowerMTA dkim-sign: domain="yourdomain.com" → DMARC DKIM alignment: PASS # Incorrect alignment example: # From: newsletter@yourdomain.com # PowerMTA dkim-sign: domain="esp.sendingplatform.com" → DMARC DKIM alignment: FAIL # (signing domain doesn't match From: domain) # PowerMTA DKIM signing for DMARC alignment: <virtual MTA pool configuration-ip-1> smtp-source-host 185.x.x.10 mail1.yourdomain.com dkim-sign domain="yourdomain.com" \ # Must match From: header domain key-file="/etc/pmta/dkim/yourdomain.private" \ selector="s1" # SPF alignment (secondary — DKIM is primary for PowerMTA): # The Return-Path domain must match the From: domain # Set bounce-address to an address @yourdomain.com (not @third-party.com)
SPF Record Configuration for PowerMTA
# SPF record — published at yourdomain.com TXT # Authorize all sending IPs explicitly: "v=spf1 ip4:185.x.x.0/24 ip4:185.y.y.10 -all" # For multiple IP ranges: "v=spf1 ip4:185.x.x.0/24 ip4:185.y.y.0/24 ip4:185.z.z.0/28 -all" # Important SPF constraints: # - Maximum 10 DNS lookups per SPF evaluation (includes include: references) # - Use ip4: directly for your IPs (no DNS lookup required) # - Avoid include: chains that approach the 10-lookup limit # - Use -all (hard fail) not ~all (soft fail) — hard fail is the correct standard # Verify SPF: dig TXT yourdomain.com | grep spf # Test: mail-tester.com or mxtoolbox.com/spf.aspx # After adding new sending IPs, update SPF before sending from those IPs # Sending from an IP not in SPF fails SPF alignment for DMARC purposes
PTR Record Setup for All Sending IPs
PTR records (reverse DNS) map each sending IP to a hostname. They are configured with the IP block owner — your datacenter provider or ISP. For PowerMTA deployments, every sending IP must have a PTR record pointing to a hostname that is associated with your sending domain.
# Correct PTR record: # 185.x.x.10 → mail1.yourdomain.com # Forward confirmation (A record must match PTR): mail1.yourdomain.com. A 185.x.x.10 # Verify PTR: dig -x 185.x.x.10 # Should return: mail1.yourdomain.com. # For multiple IPs in a pool: # 185.x.x.10 → mail1.yourdomain.com # 185.x.x.11 → mail2.yourdomain.com # 185.x.x.12 → mail3.yourdomain.com # Each virtual-mta hostname must have a matching A record and PTR # PTR naming patterns that work well: # mail[N].yourdomain.com (most common) # smtp[N].yourdomain.com # out[N].yourdomain.com # PTR patterns that reduce deliverability: # server-185-x-x-10.datacenter.example.com (generic datacenter PTR — avoid) # 185.x.x.10.in-addr.arpa (unset PTR — avoid)
DMARC Aggregate Report Analysis
# DMARC aggregate reports are XML files sent to your rua address daily # They show: source IP, volume, SPF result, DKIM result, DMARC disposition # Parse and review with: # - dmarcian.com (free tier available) # - DMARC Analyzer # - Postmark DMARC (free) # - parsedmarc (open source) # Key data points in aggregate reports: # source_ip — the IP sending as your domain # count — number of messages from that IP # policy_evaluated.dkim — pass/fail # policy_evaluated.spf — pass/fail # policy_evaluated.disposition — none/quarantine/reject # Red flags in aggregate reports: # Unknown source_ip you don't control sending as your domain → spoofing / unauthorized sender # Your sending IPs showing dkim=fail → signing misconfiguration # Your sending IPs showing spf=fail → IP not in SPF record
Strict vs Relaxed DMARC Alignment
DMARC allows strict (adkim=s) or relaxed (adkim=r) alignment for DKIM. Strict alignment requires the DKIM signing domain to exactly match the From: header domain. Relaxed alignment allows organizational domain matches — a message signed with yourdomain.com aligns with From: sub.yourdomain.com under relaxed alignment but not strict.
# Relaxed alignment (adkim=r, aspf=r) — more permissive # DKIM: d=yourdomain.com aligns with From: notifications.yourdomain.com # SPF: mail.yourdomain.com (envelope) aligns with From: yourdomain.com # Strict alignment (adkim=s, aspf=s) — more precise # DKIM: d=yourdomain.com only aligns with From: yourdomain.com exactly # d=notifications.yourdomain.com does NOT align with From: yourdomain.com # Recommendation: start with relaxed, progress to strict # Strict is better for security (prevents subdomain abuse) # but requires all subdomains to have their own DKIM keys signed with matching domain _dmarc.yourdomain.com TXT "v=DMARC1; p=reject; adkim=r; aspf=r; rua=mailto:dmarc@yourdomain.com"
Frequently Asked Questions
Operating PowerMTA at production volume?
We manage PowerMTA environments for high-volume senders — configuration, IP warming schedule, daily reputation monitoring, and operational response. Fully managed. No self-service.
