How to setup postfix to check SPF record only for domains that i want to check

I have working postfix server. It configured with amavis and uses pretty good SMTP headers control. But sometimes my users receive spam from spammers with well known mail service providers addresses. Like: @gmail.com @yahoo.com and others. Of course they send this spam from illegal servers but with correct DNS records (A and PTR) and EHLO headers. Sever can't deny this mail.

So, i don't want use rbl due false|positive. And i don't want to use greylisting due timeouts.

I want use SPF checking but only for mail from know domains. I know that domain have correct SPF record.

I know that 2 SPF daemons exist (policyd-spf-perl and policyd-spf-python) and they seems to don't have such functionality.

So my questions is: Is possible to check SPF record only for specific domains list?


Yes, you can

Take a look on the example of postfix SMTP Access Policy Delegation where it shows that you can enable greylisting from frequently forged domains. It uses smtpd_restriction_classes to achieves it.

So you can use that case to satisfies your scenario

# /etc/postfix/main.cf:

smtpd_recipient_restrictions =
    reject_unlisted_recipient
    ...
    reject_unauth_destination 
    check_sender_access hash:/etc/postfix/sender_access
    ...
smtpd_restriction_classes = spfcheck
spfcheck = check_policy_service unix:private/spfcheck

# /etc/postfix/sender_access:
    aol.com     spfcheck
    hotmail.com spfcheck
    bigfoot.com spfcheck
    ... etcetera ...