How do I set up authentication (SPF, DKIM) at the MTA level?

SPF is configured entirely in DNS, not the MTA. Add a TXT record to your domain specifying which IPs can send mail. For example: v=spf1 ip4:192.0.2.1 include:_spf.google.com -all. The MTA doesn't need special configuration for SPF; it just needs to send from an IP listed in your SPF record.

DKIM requires MTA configuration to sign outgoing messages. The typical setup using OpenDKIM with Postfix:

1. Generate a key pair: opendkim-genkey -s selector -d yourdomain.com

2. Publish the public key in DNS as a TXT record at selector._domainkey.yourdomain.com

3. Configure OpenDKIM with your private key path, selector, and signing domain

4. Connect Postfix to OpenDKIM via milter: smtpd_milters = inet:localhost:8891

Some MTAs like PowerMTA have built-in DKIM signing. The principle is the same: private key on server, public key in DNS.

Test your setup using tools like mail-tester.com or dkimvalidator.com to verify signatures are applied correctly and DNS records are published.