How do I set up SPF and DKIM on Linux?

SPF

SPF is pretty straight forward if you know how to add a TXT DNS records.

But the syntax can be confusing. Probably the most confusing part of SPF is the end bit, as it could take in two possibilities:

~all = softfail-all = hardfail

Here is a sample record that adds an IP and Outlook settings:

“v=spf1 a mx ip4:a.b.c.d include:spf.protection.outlook.com -all”

~~Don’t ask what the difference is between – and ~, but just take it as the most confusing parameter ever.~~
The difference between the dash and the tilde is:

The tilde and dash identify they different types of failures. Consider a message that doesn’t match the parameters specified in the SPF record. Tilde is for a softfail, the message will be accepted and marked if it doesn’t match parameters specified. Dash is for a hardfail, the message will be rejected if it doesn’t match.

https://serverfault.com/questions/663087/what-is-the-difference-between-all-and-all-in-a-dns-spf-record

Caveats with SPF

SPF records can only have 10 entries. See here:
https://support.google.com/a/answer/10685928?hl=en

Can you forward email to Google from a non-Google domain and still have SPF pass?

In our opinion, it’s impossible to forward email to Google from a non-Google domain and still have SPF pass. This is most likely due to security restrictions – how can Google be programmed to accept legitimate email from “any” domain and make it pass?

Edit: It’s possible to forward email to Google and make SPF pass. You need Postfix and root access to the server. See here:

https://kb.vander.host/email/srs-a-beautiful-technology-which-means-you-can-forward-your-emails-to-google/

Here is some substantiation to that claim:

https://serverfault.com/questions/613943/spf-softfail-for-forwarded-emails-to-gmail-account/613961

A typically Google fail for SPF forwarding will look like this: