Well, that was fun! SPF, DMARC, each took about ten minutes, mostly in copying around DNS zone info bits. Not a huge deal.
DKIM, on the other hand, turned into a real bear; partly this was because debian chroots postfix processes by default (which is a good idea) and partly because opendkim as shipped in stable is in apparently a rather odd spot in terms of what address match formats it supports.
Just in case it saves anyone else four hours and some hair loss, if you’re running postfix and opendkim on debian stable: 1) you probably want to talk to opendkim from postfix via local unix socket, and opendkim has to drop it’s socket under postfix’s chroot (/var/spool/postgres). 2) you need to make sure both the opendkim dir and sock file have post-exec-start systemd hooks to set group to postfix and perms so that they’re group readable/traversable as the case may be (look into an override.conf file for systemd). 3) in opendkim.conf: SigningTable refile:/path/to/signing.table, in the signing.table file: *@mail-domain-name-here (rest of line as normal for keys) DOES WORK in the beta version of opendkim 2.11 that Trixie ships. Make sure all files referenced by the opendkim.conf file are owned/readable by the user opendkim runs as, as permissions errors may be silent.