I tried maybe 15 years ago and it went about as well as you’d expect for back then. But I’m starting to get the itch again.
Have any of you tried relatively recently? How impossible is it to get reliable deliverability to gmail and whatnot these days?
I have self hosted my email since 2006. I gave up on self hosting outgoing mail in 2021, but I still keep the server up for incoming mail, and still set up throwaway accounts on there.
The hard part of hosting email is getting Google and Microsoft to accept outgoing mail. Tons of businesses that do not have visibly outlook .com or gmail .com addresses are still hosted by those servers.
I had SPF, DKIM, and a static datacenter IP address with no reputation problems. I still couldn’t get through to Microsoft, not even in people’s junk mail directory, until they manually whitelisted my address. Microsoft didn’t allow them to whitelist a whole domain. Google was a little easier, but they added new demands monthly.
In 2025, I can’t get reliable delivery to gmail .com addresses even sending from a hotmail .com address in the outlook .com web interface.
Used mailcow for years but recently switched to stalwart just for cutting edge features like jmap.
Been self hosting email for a good while now and it’s been largely painless. My emails are not getting marked spam either. Although my only outgoing mails are to FOSS mailing lists and occasionally to individuals, not for anything business related.
I would say that if self hosting email sounds like something you’d be interested in, then it probably is worthwhile for you. I like being able to configure my mail server exactly the way I want it, and I have some server side scripts I wrote for server side mail processing, which is useful as I have several different mail clients so it makes sense to do processing on the server rather than trying to configure it on my many clients. It definitely falls into the “poweruser” category of activities but I’ve had fun and I enjoy my digital sovereignty.
I’ve been self hosting email successfully for 20 years. My goto article for this question:
https://poolp.org/posts/2019-08-30/you-should-not-run-your-mail-server-because-mail-is-hard/
TLDR;
- Mail is not hard: people keep repeating that because they read it, not because they tried it
- Big Mailer Corps are quite happy with that myth, it keeps their userbase growing
- Big Mailer Corps control a large percentage of the e-mail address space which is good for none of us
- It’s ok that people have their e-mails hosted at Big Mailer Corps as long as there’s enough people outside too
OK SPAM is not the issue but my mails will not reach my users at Big Mailer Corps
The article’s answer to this one is handwavey “there are rules that spammers can’t meet, but you can do it just fine”. This is not the whole story by far. This is a more comprehensive overview of why it doesn’t work:
On a dynamic IP connection, you can very easily have had the address flagged already. If the one you have now isn’t flagged, the one you get later might be. Debugging intermittent problems is not fun.
They also like it when your domain has shown good behavior already. I can do that because my domain has existed for over 20 years and I’ve hosted email on it in one form or another for that whole time. A person starting out on their own is not going to be able to do that.
This doesn’t necessarily mean that the big providers are the only option. There are smaller providers, like Fastmail.
Lastly, any server config where they claim it’s easy because “the configuration reads almost as plain english” is a big red flag for me. Plain language config or programming does not work as well as anyone thinks.
Never read this article before, thanks for sharing!
If I had to make one suggestion, I would use a trusted third party to relay outbound e-mail such as AWS SES, mxroute, sendgrid, mailgun, etc. When I was looking for a job a few years ago, I found many potential employers’ systems would flag my e-mails as junk or simply delete them, and I had to revert to gmail. My second suggestion is to properly set up TLS/SSL for security, and SPF, DKIM, and DMARC for maximum deliverability. I’m currently using a deprecated application, but I’ve been testing mailcow which seems alright.
Beware that Mailgun doesn’t differentiate between transactional and marketing emails, this could hurt your deliverability.
Selfhost several domains for over 25 years, from home, on a dynamic IP (though it hasn’t changed in a long time) and no PTR records, and I have literally had zero problems with blacklisting or dropped connections. I must live a charmed life, or have set up my DKIM/SPF/dmarc records correctly.
Currently using mailcow-dockerized and it’s lovely.
mailcow-dockerized is great, really makes email setup so much easier.
Do you ever send mails to Gmail and Office365? Do you get through the spam filter without PTR record?
Do you ever send mails to Gmail and Office365
All the time, never had an issue. I get dmarc reports constantly since I set my dmarc to notify, not just failed, but I’ve never seen PTR checked on Microsoft or google. It passes SPF and DKIM (presumably spam but you don’t get a report for that) and they let it through. I used to think it was because I’ve had most of my domains for a long time, but the couple times I’ve brought a new domain online, they seem to be fine with them.
Now they might be passed because my old domains have never had an issue and they get associated because they come from the same IP?
My ISP would let me set a PTR if I wanted but I haven’t bothered because it doesn’t seem to be an issue.
I tried the all-in-one server Mox two years ago and it just worked. In fact, I’m still productively using it to this day.
The spam filter could be a little better, but it does a good enough job IMO.
I tried, but my IMAP server recently stopped working. It also got flagged as spam by literally everyone I sent an email to.
I have not done so in the traditional sense in quite some years. My experience was that it was an increasing headache due to crashing into a wide variety of anti-spam efforts. Get email past one and crash into another.
Depending upon your use case – using the “forward to a smarthost” feature in some mail server packages to forward to a mailserver run by a SMTP service provider with whom you have an account might work for you. Then it still looks to local software like you have a local mailserver.
If I were going to do a conventional, no-smarthost mailserver today, I think that I would probably start out by setting up a bunch of spam-filtering stuff — SpamAssassin, I dunno what-all gets used these days on a “regular” account — and then emailing stuff from my server and seeing what throws up red flags. That’d let me actually see the scoring and stuff that’s killing email. Once I had it as clean as I could get it, I’d get a variety of people I know on different mail servers and ask them to respond back to a test email, and see what made it out.
I’ve been hosting my own email servers for 20 years without issue. But email systems were a huge part of my IT career so it was easy.
It works great if you have static IPs and know what you’re doing in terms of following best practices. If you’re missing those two things you’re going to have a bad time.
If you have the statics and want to learn, I’d recommend purchasing a test domain and getting the kinks worked out before you move a domain you care about to your own system.
My hosting company has an outgoing mail server that I can use and as long as they’re doing the external DNS of the domain in question it works perfectly well.
Mostly though, from my own domain I am only sending automated messages from applications I host like NextCloud or Grafana from a “no-reply” address. There would almost certainly be privacy implications if I were to use it for personal mail.
So, if yoy are looking for a simple way to get email notifications from automated processes, this ain’t a bad way to go about it. If you want more, I would consider who can ready your outgoing mail and if you are ok with that.
I really like the idea of having my own server, where I could have a bunch of cool stuff like email, VPN, Nextcloud, and so much more. The primary reason why I don’t have a server like that, is because I can’t trust myself to follow the best practices. For a while now, I’ve been thinking that I should hire a proper professional to take care of all that.
Any wisdoms to share?
Yeah, don’t do it.
Lol. After professionally hosting email for 15 years I’m happy to let someone else handle it now.
About 90% of incoming mail will be spam and it will be your job to make sure you are doing good job of classifying it so you don’t get junk in your inbox and don’t lose real mail in the spam folder.
Then for outgoing mail you need to make sure SPF, DKIM and DMARC are all in order.
Then there is all the usual stuff of security updates, backups, monitoring, alerting, logging and having a plan for internet outages.
Yes, it’s all doable but I won’t expect it be “set and forget”. I expect there will be quite a bit of tuning with some possible spam and delivery problems while you get kinks worked out.
I have been using my own email for many years (to this day). Everything is working great. The main thing is to have a static IP and be able to specify your domain in the PTR record of the ip address.
In general, you will need: postfix (https://wiki.archlinux.org/title/Postfix) OpenDMARC (https://wiki.archlinux.org/title/OpenDMARC) OpenDKIM (https://wiki.archlinux.org/title/OpenDKIM) Dovecot (https://wiki.archlinux.org/title/Dovecot) Some interface to choose from (soGO, roundcube) Maybe graylists, ClamAV, SpamAssassin, or something else to protect your mailbox from spam and viruses. And if you want filtering functionality, then you also need Sieve.
Where are you hosting your mail?
On my home server. My ISP gives me a static address and makes PTR records for only about $1.5 per month.
How do connect to your mail’s server outside your home network?
Sorry for all the questions, I’m trying to get my DNS working with a vpn and it’s been difficult.
If you want to be able to accept mail, you’ll need to directly expose your mail server on your public IP (router configuration required). You’ll also need to allow your server to egress your WAN as well. That being said - if you really want tighten your security, and don’t care about missing some emails, you could limit your server to seeing only those servers you know you’ll be communicating with, such as work, bank, or GMail servers only.
You can make it so that retrieving your email with your client of choice requires a VPN connection to your home network also.
Well… as I already wrote, my home server is literally on the Internet because I rent a static public IP address from the provider.
But if you have a VPS, then you just need to do port forwarding to your server with a VPS, and then add the following entries to the mx DNS server:
you.domain. 21600 IN MX 10 you.first.vps. you.domain. 21600 IN MX 20 you.second.vps.Where 10 and 20 are the server priority Or if the VPS is part of your domain then:
you.domain. 21600 IN MX 10 first.vps.you.domain. you.domain. 21600 IN MX 20 second.vps.you.domain. first.vps.you.domain. 21600 IN A 1.1.1.1 second.vps.you.domain. 21600 IN A 2.2.2.2And if you also have IPv6, you can do
first.vps.you.domain. 21600 IN AAAA fd00::1 second.vps.you.domain. 21600 IN AAAA fd00::2Where 1.1.1.1, 2.2.2.2, fd00::1 and fd00::2 are the addresses of your VPS
You also need to enter the address in the SPF:
you.domain. 21600 IN TXT "v=spf1 +mx -all"What does it mean
v=spf1 is the SPF version.
+mx – it is allowed to send mail from the IP addresses specified in the MX records of the domain.
-all – prohibits sending from any other servers (hard refusal).
Also, in order for the signature to work on the mail server, you need to make several TXT entries (for a detailed explanation, see my links about DKIM):
keyname.__domainkey.you.domain. TXT "v=DKIM1; ...%DKIM params%"and
you.domain. 86400 IN TXT "v=DMARC1...%dmarc params%"And you need ask you VPS provider set PTR for you VPS IP address with first.vps.you.domain. Or some providers access that config in web panel.
But in reality, this will only allow you to receive incoming mail. In order for outgoing mail to work, it is necessary that the mail server and all the strapping go through the VPS to the Internet. This requires a rather complicated configuration of iptables, and I recommend that you simply either fill up the mailer on a VPS (there will be a maximum of gigabytes of mail. it’s not that heavy), or buy a static address at home.
If you still decide to go the hard way, here’s an approximate plan for what you need to do in the spirit of iptables, because setting it up in firewalld is a real torment.:
*mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A OUTPUT -m owner --uid-owner 924 -j MARK --set-mark 0x300 COMMITwhere 924 is the postfix user ID, you may have a different number. check it out
ip route add default via 10.8.12.4 dev wg0 table 100adding the default route via the VPS address to the routing table 100. replace 10.8.12.4 with the address of your VPS and wg0 with the name of the interface for communication between the VPS and home. Then
ip rule add from all fwmark 0x300 lookup 100We are sending all packets with the label 0x300 to the routing table 100. In other words, the postfix user will have his own custom routing table via VPS.
This creates several problems due to the fact that with this configuration, it may not be possible to connect to postfix via your server’s interfaces. But in basic case all will work. Bypassing this problem will create even more complex routing rules and will generally be overkill. But if you’re interested, write to me and I’ll sign it.
Lucky. I need to use an external service for 12€/month with 100Mbps and 1TB/month limits, per VPN.
I’ve been running my own mail for 10+ years. I recommend rspamd for spam filtering. It took the place of SpamAssasin, grey listing, SPF checking, etc. All in one single system.
Thanks, I’ll give it a try sometime.
I have been self-hosting my mail server for the past 5 or 6 years with success. Recently my ISP decided to close port 25 so I have to use a third party to deliver my outgoing mail.
The fact that ISPs can do this should be a fkn outrage. But this is so far removed from what people care about. And so net neutrality gets eroded.
I don’t think they want to bother with the administration, they were forced to to stop anyone from spamming from random SMTP servers.
Because of dmarc and DKIM, we don’t really need this anymore, but there were good reasons for it.
I know some ISPs can enable it if you call them and ask them
Reminder that you can go for hybrid approaches; receive email and host IMAP/webmail yourself, and send emails through someone like AWS. I am not saying you can’t do SMTP yourself, but if you want to just dip your toes, it’s an option.
You get many of the advantages; you control your email addresses, you store all of the email and control backups, etc.
…
And another thing: you could also play with https://chatmail.at/relays ; which is pretty cool. I had read about Delta Chat, but decided to play with it recently and… it’s blown my mind.
Indeed. Owning your mail is a spectrum. I think it’s really best to transition from something like gmail to fully owning the stack in steps, over a significant amount of time. It will take a while to change over the address on everything a while anyway. No real need to go whole-hog right away and then burn out.
Email is the hardest thing to self-host, but it’s definitely doable. You’ll need a static IP, and you’ll need to talk to your ISP to make sure outbound connections on port 25 are open.
Set up your servers and your DNS settings (another commenter gave a good guide), then use this tool to check that DKIM and SPF are working and that you’re not seen as spam with SpamAssassin:
Once that’s done, take your static IP and check it with this tool:
https://mxtoolbox.com/blacklists.aspx
If it’s on any of the lists, you’ll need to go to those lists’ sites and try to get it removed. You might need to make an email address for “postmaster@yourdomain” at this point.
Beyond that, you may need to “warm up” your IP address, by sending email to yourself on various services (Gmail, Yahoo, Microsoft) and marking them as not spam.
Then you should be golden.
I had to do this for both my SMTP servers for Port87. If you use more than one server, this process gets a little harder, so probably stick to one at first.
I’m pretty sure gmail’s filters are per-user. I’ve had it react after just one flag/unflag, and I doubt that it would do that it would only take one action to change it for everyone.
It’s more of a signal that the IP address does send trustworthy email. AFAIK, IP reputation isn’t handled on a per-user basis. Domain reputation probably is.
I currently am and I have been hosting my own mail for the past several decades, so I can tell you from experience that it still is very much possible, but it has become significantly more complex than it used to be, not recommended for anyone who doesn’t have a particular interest in mail.
