content/blog/mail_server_alpine_postfix_dovecot_tutorial.md: add footnote about postfix-policyd-spf-perl being executed after opendmarc

content/blog/mail_server_alpine_postfix_dovecot_tutorial/index.md

@@ -1334,7 +1334,7 @@ The `fo` tag indicates when you would like to receive reports. The options are:
     </tr>
 </table>
 
-### OpenDMARC
+### OpenDMARC[^spf_processing_redundancy]
 
 We can use software called OpenDMARC to enforce DMARC policies for incoming mail. OpenDMARC is another milter. Let's
 install it and enable its service:
@@ -1444,14 +1444,16 @@ Restart Postfix for the changes to take effect:
 And when you receive emails from a legitimate source that implements DMARC, you should see the following headers in
 your emails:
 
-```
+<pre id="double-spf-headers">
+<code>
 Received-SPF: pass (protonmail.com: Sender is authorized to use 'revsuine@protonmail.com' in 'mfrom' identity (mechanism 'include:_spf.protonmail.ch' matched)) receiver=master.revsuine.xyz; identity=mailfrom; envelope-from="revsuine@protonmail.com"; helo=mail-40130.protonmail.ch; client-ip=185.70.40.130
 DMARC-Filter: OpenDMARC Filter v1.4.2 master.revsuine.xyz 88CFF1288D1
 Authentication-Results: OpenDMARC; dmarc=pass (p=quarantine dis=none) header.from=protonmail.com
 Authentication-Results: OpenDMARC; spf=pass smtp.mailfrom=protonmail.com
 Authentication-Results: master.revsuine.xyz;
         dkim=pass (2048-bit key; secure) header.d=protonmail.com header.i=@protonmail.com header.a=rsa-sha256 header.s=protonmail3 header.b=nc4YWVM/
-```
+</code>
+</pre>
 
 <!--
     TODO: switch SPF filter to a milter e.g. https://www.acme.com/software/spfmilter/ so that SPF isn't checked twice
@@ -1857,3 +1859,26 @@ admins can submit their domain and IP address to indicate trustworthiness.
 
     to find out where this file should be.
 
+[^spf_processing_redundancy]: The OpenDMARC milter will be run before the SPF policy daemon, meaning that OpenDMARC
+    must do its own SPF checking. This makes postfix-policyd-spf-perl redundant, and results in multiple SPF checks in
+    our email headers (e.g. see email headers [here](#double-spf-headers)).
+
+    To get around this, you'd probably have to use a milter to validate SPF, and just list the milter before OpenDMARC.
+    I had a bit of a look around for SPF milters and found [ACME's
+    spfmilter](https://www.acme.com/software/spfmilter/), but had issues compiling it on Alpine; it complained about
+
+    ```
+    spfmilter.c:1623:2: error: #error "neither libspf nor libspf2 is present - please provide one"
+     1623 | #error "neither libspf nor libspf2 is present - please provide one"
+          |  ^~~~~
+    ```
+
+    despite having `libspf2` installed. Potentially this is a musl issue, but I'm doubtful that a project like this
+    would be tied to glibc specifically.
+
+    I tried compiling it on Artix Linux and it compiled just fine with the right dependencies installed, so the program
+    does compile.
+
+    If anyone can either [suggest](/contact) a way to get ACME's spfmilter to compile on Alpine, or an alternative
+    solution to this problem, that would be helpful.
+