diff --git a/content/blog/mail_server_alpine_postfix_dovecot_tutorial/index.md b/content/blog/mail_server_alpine_postfix_dovecot_tutorial/index.md
index 5c4e719..aef769a 100644
--- a/content/blog/mail_server_alpine_postfix_dovecot_tutorial/index.md
+++ b/content/blog/mail_server_alpine_postfix_dovecot_tutorial/index.md
@@ -493,7 +493,41 @@ Now let's enable IMAP by editing `/etc/dovecot/dovecot.conf`. Find a `protocols
 protocols = imap
 ```
 
-## Configure how to store emails
+## Logging
+
+By default, Dovecot logs to the syslog (`/var/log/messages`). It would be easier to monitor Dovecot if it logged to its
+own log file, so we'll configure that at `/etc/dovecot/conf.d/10-logging.conf`:
+
+```conf
+log_path = /var/log/dovecot.log
+```
+
+The file also has various settings on logging verbosity you can configure. I set:
+
+```conf
+auth_verbose = yes
+auth_debug = yes
+mail_debug = yes
+```
+
+You should already have an `/etc/logrotate.d/dovecot` file. If not, create it with the following contents:
+
+```logrotate
+/var/log/dovecot*.log {
+    daily
+    missingok
+    copytruncate
+    rotate 7
+    compress
+    notifempty
+    sharedscripts
+    postrotate
+        /etc/init.d/dovecot --quiet --ifstarted reopen
+    endscript
+}
+```
+
+## Configure IMAP and email storage
 
 You probably want to use the Maildir format for storing emails, where each user's mail is stored at `~/Maildir` (this
 can be set to another location if desired).
@@ -1334,7 +1368,7 @@ The `fo` tag indicates when you would like to receive reports. The options are:
     </tr>
 </table>
 
-### OpenDMARC
+### OpenDMARC[^spf_processing_redundancy]
 
 We can use software called OpenDMARC to enforce DMARC policies for incoming mail. OpenDMARC is another milter. Let's
 install it and enable its service:
@@ -1444,14 +1478,16 @@ Restart Postfix for the changes to take effect:
 And when you receive emails from a legitimate source that implements DMARC, you should see the following headers in
 your emails:
 
-```
+<pre id="double-spf-headers">
+<code>
 Received-SPF: pass (protonmail.com: Sender is authorized to use 'revsuine@protonmail.com' in 'mfrom' identity (mechanism 'include:_spf.protonmail.ch' matched)) receiver=master.revsuine.xyz; identity=mailfrom; envelope-from="revsuine@protonmail.com"; helo=mail-40130.protonmail.ch; client-ip=185.70.40.130
 DMARC-Filter: OpenDMARC Filter v1.4.2 master.revsuine.xyz 88CFF1288D1
 Authentication-Results: OpenDMARC; dmarc=pass (p=quarantine dis=none) header.from=protonmail.com
 Authentication-Results: OpenDMARC; spf=pass smtp.mailfrom=protonmail.com
 Authentication-Results: master.revsuine.xyz;
         dkim=pass (2048-bit key; secure) header.d=protonmail.com header.i=@protonmail.com header.a=rsa-sha256 header.s=protonmail3 header.b=nc4YWVM/
-```
+</code>
+</pre>
 
 <!--
     TODO: switch SPF filter to a milter e.g. https://www.acme.com/software/spfmilter/ so that SPF isn't checked twice
@@ -1823,6 +1859,25 @@ you would write `"Inbox.Spam"` in that case.
 
 # Miscellaneous suggestions
 
+To use fail2ban for your mail server, create `/etc/fail2ban/jail.d/mail.local`:
+
+```ini
+[postfix]
+enabled  = true
+logpath  = /var/log/postfix.log
+
+[dovecot]
+enabled  = true
+logpath  = /var/log/dovecot.log
+
+[sieve]
+enabled  = true
+logpath  = /var/log/dovecot.log
+```
+
+These are the log file locations we configured above, but you can set them to the syslog if you didn't give Postfix and
+Dovecot their own log files.
+
 You may want to get your domain whitelisted on [dnswl.org](https://www.dnswl.org/), an email whitelist service where
 admins can submit their domain and IP address to indicate trustworthiness.
 
@@ -1857,3 +1912,26 @@ admins can submit their domain and IP address to indicate trustworthiness.
 
     to find out where this file should be.
 
+[^spf_processing_redundancy]: The OpenDMARC milter will be run before the SPF policy daemon, meaning that OpenDMARC
+    must do its own SPF checking. This makes postfix-policyd-spf-perl redundant, and results in multiple SPF checks in
+    our email headers (e.g. see email headers [here](#double-spf-headers)).
+
+    To get around this, you'd probably have to use a milter to validate SPF, and just list the milter before OpenDMARC.
+    I had a bit of a look around for SPF milters and found [ACME's
+    spfmilter](https://www.acme.com/software/spfmilter/), but had issues compiling it on Alpine; it complained about
+
+    ```
+    spfmilter.c:1623:2: error: #error "neither libspf nor libspf2 is present - please provide one"
+     1623 | #error "neither libspf nor libspf2 is present - please provide one"
+          |  ^~~~~
+    ```
+
+    despite having `libspf2` installed. Potentially this is a musl issue, but I'm doubtful that a project like this
+    would be tied to glibc specifically.
+
+    I tried compiling it on Artix Linux and it compiled just fine with the right dependencies installed, so the program
+    does compile.
+
+    If anyone can either [suggest](/contact) a way to get ACME's spfmilter to compile on Alpine, or an alternative
+    solution to this problem, that would be helpful.
+