How to reject spam emails with from field as my own email address?

I run my own postfix/dovecot email servers. Recently a lot of spam emails with identical from and to fields, which is my email address, flooded into my inbox. I added check_policy_service unix:private/policy to smtpd_recipient_restrictions, but it didn't stop the spam with my own email address as sender from flooding in. I checked other similar questions, but none of them helped. I wonder if there is other places that I need to pay attention to in the postfix configs.

I have spf set in the dns:

$ nslookup -type=txt mydomain.com
mydomain.com    text = "v=spf1 mx a ptr include:mail.myemaildomain.com -all"

Here is a sample of the headers from one of the spam, with some very long encoded headers stripped. assuming my email is [email protected], and my mail server is mail.myemaildomain.com.

Return-Path: <>
Delivered-To: [email protected]
Received: from mail.myemaildomain.com
    by mail.myemaildomain.com with LMTP
    id 0KJAM+e2oGM0TgAAheIUKw
    (envelope-from <>)
    for <[email protected]>; Mon, 19 Dec 2022 19:09:27 +0000
Received: by mail.myemaildomain.com (Postfix, from userid 182)
    id CEFE8C6409; Mon, 19 Dec 2022 19:09:27 +0000 (UTC)
Received-SPF: none (qwwj.em.jennycraig.com: No applicable sender policy available) receiver=mail.myemaildomain.com; identity=helo; helo=qwwj.em.jennycraig.com; client-ip=103.198.26.226
Received: from qwwj.em.jennycraig.com (unknown [103.198.26.226])
    by mail.myemaildomain.com (Postfix) with ESMTP id 42098C6407
    for <[email protected]>; Mon, 19 Dec 2022 19:09:27 +0000 (UTC)
Received: from 10.226.14.104
 by atlas114.aol.mail.ne1.yahoo.com pod-id NONE with HTTPS; Thu, 15 Dec 2030 13:36:39 +0000
X-Originating-Ip: [209.85.218.45]
Received-SPF: pass (domain of gmail.com designates 209.85.218.45 as permitted sender)
Authentication-Results: atlas114.aol.mail.ne1.yahoo.com;
 dkim=pass [email protected] header.s=20210112;
 spf=pass smtp.mailfrom=gmail.com;
 dmarc=pass(p=NONE,sp=QUARANTINE) header.from=gmail.com;
X-Apparently-To: [email protected]; Thu, 15 Dec 2030 13:36:39 +0000
Received: from 209.85.218.45 (EHLO mail-ej1-f45.google.com)
 by 10.226.14.104 with SMTPs
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256);
 Thu, 15 Dec 2030 13:36:39 +0000
Received: by mail-ej1-f45.google.com with SMTP id n20so52313294ejh.0
        for <[email protected]>; Thu, 15 Dec 2030 05:36:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=TJRpkbHmfqiYQcSzQM9QyAcKyxwfgZJL1vLIP4WWyzY=;
        b=PU/nv5+QLQUtFFhUFU6EkFLDEIAN0MjTP0TDPeoWc6O/rXu53+DCp7cua72BLe3k8Y
         SpiPuVwH02uo87V3rs+L6KMLQaqA8V1D7vjU+3K5T9yP35DOf/bgtp3Nrb2d0Ejik0Bv
         U9ePCaf7UM8R1Gze97qvGeJv5o3nhtNuvCAFqcuHZVC14JxQMLALg2wyPF68X/CP6vUu
         EBMTPaudBc4bafJ8bJEkZgHCHIICpI9ZRYujIHcMxcm9EPlK+xTwhHDELRK8hwRPz1CC
         JdtoPMWBl6NY3if9ZiV2O9NuvAJdeht/PezOU3kJPmbul8jRATFI/aJfA4eaUu7SisJr
         FL8A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=to:subject:message-id:date:from:mime-version:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=TJRpkbHmfqiYQcSzQM9QyAcKyxwfgZJL1vLIP4WWyzY=;
        b=Xpo6Y73U27SLGh/HdXMGsR4X+ieN29ZLuTsnzxhavjS0nXbm8HuTIcZr4cni14HL7h
         qWXZLePK0vYJUHMHb2R57WgKNWJnBFBH9lmiJSf35OusIK2Z5iSk6BmmHVjl8niG9EmD
         XOL6EqVwmTl2BS9V80osHuJ7wIXzcAoq4Y+yZnVxPZogv2FjJ2tET9I9wQPVxM4ugXS3
         9KKQgBoFPHUfergCHZxWt5mESf1Ie7VLsH1nztjHRkyipCAaZ3rvb6aHz3TogId5QuaS
         yfOgSZQkCmStFywDTgxNuYwmYuOl+LBllaaB60bulStuwNKfkXU+vOAp9M8XcyTVhngV
         xGcw==
X-Gm-Message-State: ANoB5plygnE1J5uqPqvPqvpUDDb3uZ/3D5Q4+2HkJz9l2WUbBA1VD+OM
    48tFT8K/KxTy/bIun6chTilzwv3waaMeJ5EOu4SyvL3C
X-Google-Smtp-Source: AA0mqf6T7Vhk2yyHuKIYdn3h79y5dlZlN2Ix0VIGDvfU1s3z9grZ7sF2CkltwXmtFE8dsR3mTX53KHhoFnxtStqiZSs=
X-Received: by 2002:a17:906:f14:b0:7c1:4e5d:5543 with SMTP id
 z20-20020a1709060f1400b007c14e5d5543mr2799821eji.654.1671111399150; Thu, 15
 Dec 2030 05:36:39 -0800 (PST)
List-Unsubscribe: <https://rdir-agn.freenet.de/uq.html?uid=5ZQLJGH67TVWNMOX1LEGP4PK7PH1CI>,<mailto:[email protected]?subject=unsubscribe:5ZQLJGH67TVWNMOX1LEGP4PK7PH1CI>
X-tdResult: [email protected]
MIME-Version: 1.0
From: SAMS CLUB Stores<[email protected]>
Date: Thu, 15 Dec 2030 14:36:30 +0100
Message-ID: <q1RHyAoOuu2eraF=2mdqDgli8XJ5uM9dQNV6ANEdZER-DpL8i13n@mail.gmail.com>
Subject: Surprise in your inbox (for Shoppers Only)
To: me <[email protected]>

Entirely within Postfix's configuration

If you have configured email submission as a separate SMTP instance, as you should, you could use header_checks. This requires the Postfix's PCRE support to be installed.

As you only want this to the instance running on port 25, you should put in in your master.cf:

smtp  inet  n  -  y  -  -  smtpd
 -o header_checks=pcre:/etc/postfix/access/header_checks

And the PCRE map (to that file) for rejecting messages using example.com in the From header:

/^From: .*@example\.com/  REJECT  You are not me; example.com in From header.

However, this might be too strict considering email forwarding, mailing lists etc. Therefore, I would recommend using the better alternative below.

Implement DMARC & DKIM

Better and a more standard way is to implement DMARC, DKIM & SPF both for your domain and for your incoming mail. This way mail sent from any mail infrastructure you have permitted (either in your SPF policy or signed by a DKIM key found in your domain's DNS) can arrive your SMTP server.

1. Check for DKIM signatures using the OpenDKIM milter.
2. Check for SPF with postfix-policyd-spf-python:
   check_policy_service unix:private/policy-spf
3. Check for DMARC policies using the OpenDMARC milter.
4. Sign your messages with the OpenDKIM milter.
5. Publish a SPF policy with ~all (or -all).
6. Publish a DMARC policy with p=reject.