diff --git a/postfix/tasks/packmail.yml b/postfix/tasks/packmail.yml
index e485d6b1..d7c37611 100644
--- a/postfix/tasks/packmail.yml
+++ b/postfix/tasks/packmail.yml
@@ -6,6 +6,7 @@
   with_items:
   - postfix
   - postfix-ldap
+  - postfix-policyd-spf-python
   - mailgraph
   tags:
   - postfix
diff --git a/postfix/templates/packmail_main.cf.j2 b/postfix/templates/packmail_main.cf.j2
index 2f0fb75f..5e80dbf5 100644
--- a/postfix/templates/packmail_main.cf.j2
+++ b/postfix/templates/packmail_main.cf.j2
@@ -339,6 +339,7 @@ smtpd_recipient_restrictions =
     permit_mynetworks,
     permit_sasl_authenticated,
     reject_unauth_destination,
+    check_policy_service unix:private/policyd-spf,
     check_client_access hash:$config_directory/client.access_local,
     check_client_access hash:$config_directory/client.access,
     check_sender_access hash:$config_directory/sender.access_local,
@@ -350,6 +351,8 @@ smtpd_recipient_restrictions =
     reject_non_fqdn_sender,
     reject_unauth_pipelining,
 
+policyd-spf_time_limit = 3600
+
 header_checks =
     regexp:$config_directory/header_kill_local,
     regexp:$config_directory/header_kill
diff --git a/postfix/templates/packmail_master.cf.j2 b/postfix/templates/packmail_master.cf.j2
index 69964605..6f693c8a 100644
--- a/postfix/templates/packmail_master.cf.j2
+++ b/postfix/templates/packmail_master.cf.j2
@@ -116,6 +116,9 @@ mailman   unix  -       n       n       -       -       pipe
 
 slow      unix     -       -       n       -       -    smtp
 
+policyd-spf  unix  -       n       n       -       0       spawn
+  user=policyd-spf argv=/usr/bin/policyd-spf
+
 dovecot   unix  -       n       n       -       -       pipe
   flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}