What's new
By:
Panelica Community Forum

Welcome to the official Panelica Community Forum — the central hub for server administrators, developers, and hosting professionals. Register a free account today to access technical discussions, product announcements, feature requests, and direct support from the Panelica team. Be part of the growing community shaping the future of server management.

How to Turn On DMARC, DANE, Postscreen and SpamAssassin (Step by Step)

admin

admin

Administrator
Staff member
How to Turn On DMARC, DANE, Postscreen and SpamAssassin (Step by Step)​

This thread is the hands-on companion to the Anti-Spam announcement in the Announcements section. It assumes you have already set up a domain with a working mail stack (Postfix, Dovecot, and DKIM active). If you have not done that yet, start with the First Steps thread in Getting Started.

The recommended enable order is: SPF + DKIM first (already provisioned when you add a domain), then DMARC, then optionally Postscreen and DANE. Going in this order avoids blocking legitimate mail while you build up confidence in each layer.

Step 1 -- Verify SPF and DKIM Are Active​

When Panelica provisions a domain with mail enabled, it automatically creates SPF and DKIM records in the domain's DNS zone. Before enabling DMARC, confirm these are in place.

A typical SPF record looks like this:

Code: 
yourdomain.com  TXT  "v=spf1 a mx ~all"

The a includes your server's IP from its A record, and mx includes the IPs your MX records point to. The ~all means soft fail -- messages from other IPs are flagged but not rejected outright, which is a safe starting point.

DKIM is configured automatically per domain. Verify it is active under Email > Authentication -- the DKIM status badge should be green.

Step 2 -- Add a DMARC DNS Record​

DMARC tells receiving servers what to do when a message fails SPF or DKIM alignment. Start with a monitoring-only policy (p=none) to collect data, then tighten it once you have reviewed the reports.

Add this TXT record to your domain's DNS zone:

Code: 
_dmarc.yourdomain.com  TXT  "v=DMARC1; p=none; rua=mailto:[email protected]"

Explanation of the fields:
  • p=none -- monitoring only; no messages are rejected or quarantined yet.
  • rua= -- address where aggregate DMARC reports are sent. These reports show you which senders are passing and failing.

Once you have reviewed a few days of reports and confirmed your legitimate mail is passing, move to p=quarantine:

Code: 
_dmarc.yourdomain.com  TXT  "v=DMARC1; p=quarantine; rua=mailto:[email protected]"

And eventually p=reject for the strictest enforcement. Do not rush this progression -- a misconfigured SPF or DKIM can cause legitimate mail to fail DMARC, and at p=reject that means lost messages.

Step 3 -- Enable DMARC Enforcement in the Panel​

Once your DNS record is in place:

  1. Open Email > Protection.
  2. Toggle DMARC Enforcement on.
  3. Confirm the status badge shows active.

This activates the OpenDMARC milter, which validates inbound mail against the sender domain's published DMARC policy.

Step 4 -- Enable Postscreen (Optional)​

Postscreen adds a pre-SMTP checkpoint that checks connecting IPs against Spamhaus blocklists before the mail conversation begins. It is effective at dropping bulk spam and botnet traffic before it consumes server resources.

Because some legitimate mail servers (shared hosting, small ISPs) occasionally appear on blocklists, Panelica uses a conservative Spamhaus threshold. Still, monitor your logs after enabling it.

To enable:
  1. Open Email > Protection.
  2. Toggle Postscreen (RBL) on.
  3. Watch your mail logs for a few days:
    Bash: 
    tail -f /opt/panelica/var/logs/postfix/mail.log | grep postscreen
  4. If you see legitimate senders being blocked, you can disable it again at any time without any data loss.

Step 5 -- Enable DANE (Optional, Requires DNSSEC)​

DANE (DNS-based Authentication of Named Entities) protects outbound mail by verifying that the receiving server's TLS certificate matches what is published in DNSSEC-signed TLSA records. It prevents TLS downgrade attacks and certificate substitution on the delivery path.

Prerequisites:
  • Your domain's DNS must be DNSSEC-signed. If your DNS provider does not support DNSSEC, DANE cannot be used.
  • The receiving domain must also publish TLSA records. DANE only applies to the delivery path to domains that support it.

To check if your domain is DNSSEC-signed:
Bash: 
dig +dnssec yourdomain.com | grep -i "rrsig\|ad"

If DNSSEC is in place, enabling DANE in the panel is a single toggle:
  1. Open Email > Protection.
  2. Toggle DANE (DNSSEC TLSA) on.

How SpamAssassin Gets Better Over Time​

The Bayesian learning cron runs daily. It reads messages that users have moved to their Junk folder (marking them as spam) and messages in the Sent folder (marking them as ham -- legitimate mail). Over time this builds a statistical model tuned to your server's actual mail patterns.

To get the most out of it:
  • Encourage users to move spam to their Junk folder rather than deleting it immediately.
  • Do not delete the Junk folder contents too aggressively -- the cron needs a sample to learn from.

The filter improves automatically. You do not need to run any commands.

Recommended Sequence Summary​

  1. Confirm SPF + DKIM active (automatic on domain creation)
  2. Add DMARC record to DNS with p=none
  3. Enable DMARC Enforcement in the panel
  4. Review DMARC aggregate reports for a week
  5. Tighten DMARC policy to p=quarantine, then p=reject
  6. Optionally enable Postscreen and monitor logs
  7. Optionally enable DANE if your domain is DNSSEC-signed

If you run into any issues during setup, post a reply with the step you are on, your OS, and the relevant log output. We are happy to take a look.

The Panelica Team
 
You must log in or register to reply here.
Back
Top