v=sp1 ....<something here>..... ~all
Says version 1, and last word negates everyone [all]. That is no one else can send my mail. As for the what goes in the middle is
a:mail.habibur.com
The A entry [ which is the IP4 address of ] mail.habibur.com. You can put multiple a:xxxx entries separated by spaces.
Other options are
mx for your mx record holder.
ip4:192.168.0.0/16 with or without mask and
include:somedomain.com to include everything from that domain, which is what happens when you use google or malinator servers for sending you mails.
That's all you will need.
@ host with the data we talked above.
policy-spf. This name changes. Once installed add to /etc/postfix/master.cf a last two lines to start it. That is postfix will start it when needed. Not system.
policy-spf unix - n n - 0 spawn user=nobody argv=/usr/libexec/postfix/policyd-spf
Next tell post fix to communicate with it for verification using a unix pipe.
In /etc/postfix
/main.cf
smtpd_recipient_restrictions = ... check_policy_service unix:private/policy-spf
This private/policy-spf pipe should pre exist in /var/spool/postfix/. Check that those already are created by package installer.
Finally its configuration file is in /etc/python-policyd-spf/policyd-spf.conf
Edit to this to make it aggressively reject.
debugLevel = 1 TestOnly = 1 HELO_reject = SPF_Not_Pass Mail_From_reject = SPF_Not_Pass PermError_reject = True TempError_Defer = True skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1
That's all. Restart postifix.