> i think the myth of "you can't self-host email" persists because while it can evidently be done, basically all of the software involved is ancient, baroque, inconsistently documented, requires a PhD in Bullshit to correctly configure, and is almost actively hostile to observation. but this is _annoying_, very different from _impossible_, and fortunately mostly solvable by delegating the annoying bits to an expert using something like NixOS to make it reliably work
Why are they calling this a “myth” when they readily admit that even when you are an expert who has been doing it for years, there’s still problems sending to the biggest providers in the world?
There is zero practical difference between “you need to be an expert and you will still fail to get something fundamental working” and “you can’t self-host email”.
> Microsoft 365 however apparently will hate your email no matter what. you learn to live with it
Or you don’t self-host but use a major email provider and don’t have the problem.
> there exist several pieces of folk wisdom:
> - "you cannot run your own mail server in 2025, this is too hard and time consuming" (completely false, i've done this since ~2010 with minimal ongoing maintenance)
This seems completely true according to what they themselves write. It is too hard and time consuming.
> I think the combo of "roll the IP gacha a few times" + "let it sit for 8 months while the VM idles" probably did me a lot of good here
Is letting it sit for eight months not “time consuming”?
> until I cleaned up my IP reputation (which has been awful for almost a decade) Gmail refused to deliver to anything but spam
This is not in any way acceptable to the average person, and it does not meet what most people would describe as “I can self-host email”. “I can self-host email but Gmail sends me to spam” is functionally equivalent to “I cannot self-host email”.
I self-host my mail server since at least 2001 and while it occasionally requires hours of intense work, I consider it a hobby and a way to refresh Linux System Administration skills.
> There can be delivery problems between Gmail and m365 - and even ... - and vice-versa.
Absolutely not on the same scale as 'your' mail-in-a-box toy, though. I'm with OP, even for those who can roll Exim with NixOS or whatever the latest fashion is: mail is not worth the hassle.
I pay Zoho and do/host better things with my time [nearly anything], I have nothing to prove. They [or another provider, not an ad] can fight the mail hegemony; not interested, personally.
There is a difference though between “it will not work no matter what” with self hosting and “there is chance it will not work” with a hosted solution.
Mine does. I would prefer if it doesn't as that means that I can't reject SPAM that wouldn't pass address verification, but using it for sending is nice.
Microsoft 365 is corporate business email for corporate businesses. If you're a corporate business, you're already using it, and if you're not then you probably don't want to talk to anyone who's using it anyway. Even if you could pass their filtering, they'd just manually ignore your emails because they only want to talk to corporate businesses.
Maybe persons and families should stop using email services that refuse to deliver them the emails they want. If I personally use /dev/null as my inbox does it become your problem to ensure mail delivery?
I recommend that whenever you know someone cares about receiving an email much more than you care about them receiving it, just send it. They'll do what they have to, and this way we can weed bad providers out of the market. Some websites with email verified sign-up have a simple FAQ to let you know what's causing the problem.
Most people at e.g. Oxford and Cambridge (and, I suspect, many other universities) use their university emails for a fairly wide variety of extramural correspondence, and are stuck with M$ as the provider, alas.
IP reputation is a gamble, and there is no recourse. If you're lucky, awesome. But if you're unlucky and switching host isn't an option, you pretty much have to involve a large third party to act your behalf - there is zero appetite in the industry for interacting with individuals.
The best solution I've been able to find is to self-host /almost/ everything, but route outgoing mail through Amazon SES.
The pricing for vanity email volumes is negligible (a few cents a year), and they have people whose full time job is wrangling IP reputation / Office 365 / etc.
This setup has survived several ISP/hosting switches; at times when I am lucky with IP reputation I route only mail going to Office 365 recipients via SES and deliver the rest directly; at times when I am less lucky, everything goes via SES.
If there was a much larger list of problem destinations I'd maybe do something nicer involving separate routers and a domainlist, but those cover all the cases that are broken right now.
Interestingly, I've not had a problem delivering directly to those (except the time I switched to an IP block with a bad rep and couldn't deliver anything anywhere directly at all); it's just the ones on the list above that don't like me.
Mysterious and ineffable are the ways of Microsoft.
(note that their MX record is usually a *.protection.outlook.com entry regardless of the custom domain, so I'd use that to bootstrap a rule if I had a more general problem with Microsoft)
Yes, you do need to include:amazonses.com in your SPF. Amazon aren't too bad at kicking spammers off SES promptly. More importantly, Amazon doesn't sign for DKIM - your server still does that; so no-one else gets to DKIM for you; and you can set the DMARC policy to require both.
SES currently charges $0.10 per 1000 outbound emails. The first 3000 mails are free. I received my first official bill for $0.02 after around two years of use.
Do investigate other relay services. I only stopped at SES because I was in a mad rush and it was the first one I tried that did everything I needed, without bouncing or getting filed to trash on any services I cared about. I have done nothing like a full survey of the market, and there may well be a better option. It is the general approach I am suggesting, not trying to shill SES specifically despite what it may look like.
i didn't assume that. obviously you can only talk about the one that you are using, and while the general setup applies to other such services, i can now file SES as an option that works. and with that price point i am probably going to be to lazy to look for alternatives. (although i should check if the email service i am already paying can do that too without requiring me to send all emails through them)
You can usually switch host. Some have better IP reputations than others.
There are quite a few other providers of email forwarding services, although I might look at SES myself if its that cheap as I have issues with hotmail (I seem to be OK with most mail to email on MS hosted email on other domains, oddly enough).
...it took OP 8 months of "rolling the gacha" and waiting to get a clean IP; no mention of costs. Not really a solution in my book. If you're willing to wait 8 months for working email, I put it to you you're actually using some other provider for your life and the thing you are playing with is a toy.
I've been self-hosting my email for a pretty long time. I first started down the reputation rabbit hole when a provider decided to shut up shop after a decade of operation, causing me to lose my lovely fixed IP block with its decade-old clean rep. Waiting/playing around isn't really an option when your email is broken and you need it working /today/ because it's not a throwaway toy - your digital life is tied to it.
Still, as I said at the start, if you get lucky, awesome for you.
If cost is not an issue one can run standby servers in multiple locations and have backups to all of them. Just as MX records allow for multiple inbound servers one can have multiple outbound servers as well. Park a few unused or vanity domains on them and have cronjobs send automated emails to yourself. I reply to those emails so the likes of Gmail see interaction between them. With time all IP addresses get good reputation.
An IP laundering service certainly sounds like a potential startup opportunity. Certainly I'd have paid for a proven good IP in the past before I developed my current solution.
...as disconnected from "email marketing services" as possible, please, because IME gmail is wise to those and files email associated with them directly in the trash regardless of all other concerns.
I suspect the reason SES is an exception is because it is very widely used for things like e-tickets, transaction confirmations and so on, and also goes to a nonzero amount of trouble to dissuade marketers rather than having them as the main customers.
> ..it took OP 8 months of "rolling the gacha" and waiting to get a clean IP; no mention of costs.
I dont see anything about it taking the OP 8 months to get a clean IP? They were on Hetzner, and can presumably keep making new VM's for a while until they get a clean one. Hetzner bills based on hours used, so I imagine that total cost would be quite low.
Nope. The biggest impact on gmail was making sure I had DMARC, DKIM and SPF all set up correctly.
(I tried several other relay services like mailgun and those /did/ have noticeable impact - SES was the first one I tried that didn't, so I stuck with it).
The thing about selfhosting email is that, Even after getting rated 10/10 in every mailchecker service and after a nearly 1 year service, Gmail still marks it as spam. So Gmail is basically the monopoly that undermines small startup business by marking their Email service as spam. But ofc this will happen because Europe allows it, making Europe lawmakers an inferior entity even to a private company.
Is it from sending mass emails that look like spamming? I've never had a problem sending to Gmail but my personal server is only used by me and a few others for personal email.
We communicate via email exclusively with our already users and clients which in 99% of the cases contact us first (from same gmail address that mark our service as a spam), we don't have time to spam which anyway will damage our reputation. The funny thing is that, All this happens mostly with traffic in our own continent in our own country (we are not even trying to get intercontinental clients)!
I've been running my own mail server with several domains for me, my now wife, and friends since 1999. It's definitely changed with time and gotten more strict with things like spf, dkim, dmarc, and reverse dns all becoming necessary over the years.
But it's not that difficult to be honest. Currently my internet provider is init7 and they offer fixed ip4 and set the reverse dns for me which lets me run the server downstairs in the cellar instead of at a colo somewhere (which I was doing for maybe 15 years).
Every now and then I look into moving to a paid service but we have GBs of mail since 1999 and it's just too costly when it's pretty much free for me to host it myself, even taking into account the time it takes for my effort, which is practically zero.
Plus I use my server for a ton of other stuff so it will always exist so I may as well host email too.
Wanted to add something... the biggest issue I've had in the last few years is having to whitelist senders to skip the temporary rejection (smtp 4xx code) process to reduce spam.
Basically, someone new emails me and my server responds with a temporary rejection message saying to try again later and then when their server retries the message 5 minutes later it allows it to go through. This is a standard process to block spammers.
However lately when their email service resends the message it will come from a different server. Something like mailserver-1, then mailserver-2, then mailserver-3, each with a different ip address and each time it gets rejected until it reuses one of the addresses. But with apple for example they have hundreds of servers to cycle through and eventually the message times out and is rejected at their end.
So I have to whitelist senders to skip the temporary rejection. It comes up every few months for me, having to whitelist someone. I think it's a result of every small- mid-size company moving to providers and not hosting their own email, and these providers having dozens of servers. The domain of the server never matches the domain of the sender...
I have no problems with my current home ip address (here in Switzerland with the provider init7) but years ago (~20) when I moved my server to a Colo the ip address was marked as a spammer because of the previous owner of the address. It didn't take long to make the ip address clean though - some online processes and also sending some emails. This was so long ago I barely remember what I had to do and I'm sure the process is different now because back then you could contact an actual human...
O365 and gmail should be honorably mentioned as places that will deliver both inbound and outbound to/from an IPv6-only MX.
A lot other servers will not play ball here. Your self-hosted mail server, if it lacks IPv4, will not get inbound from mailgun, mailjet, github; neither will it be able to send outbound to cisco/iphmx, as well as about 90% of small servers from what I see in my logs.
I am in favour of the middle ground. Rather than expending effort self hosting email, which while plausible is unequivocally a heavy lift for most, make use of smaller providers such as Fastmail or Protonmail. Just please stop consolidating the internet.
After using gmail for around a decade, I switched to fastmail a few months ago and have been extremely happy with the change.
I still have a lot of accounts associated to my gmail email, but i've been slowly migrating things over when convenient. It has been a much smaller lift than I anticipated and absolutely worth it.
I am also going with Protonmail, not because I can't setup my own server, but because I don't want to take care for yet another server, whose loss (be it by hacking or by my mistake) would be catastrophic for my whole digital life. I will rather pay to somebody else who know what they are doing.
I used to host my own email until switching to Fastmail.
I recall roundcube to be pretty much the best webmail offering back when I was hosting but also severely lacking two important features:
1. Fast search against mailbox folders/labels with say 100k+ messages.
2. Handling multiple aliases, both individual and catch-all, and being able to automatically respond with the correct alias if an email is received using one.
Fastmail webmail handles the above two cases gracefully and its usually the benchmark I apply when evaluating other providers. My understanding is roundcube is severely lacking with search being IMAP SEARCH, and requiring you to enter multiple identities manually for each alias which doesn't permit catch-alls.
But the real reason I stopped running my own mail is that I didn't trust myself with regular backups (even though I still do them via IMAP on occasion) and disaster recovery. I don't think anyone self-hosting really has this figured out.
But the real reason I stopped running my own mail is that I didn't trust myself with regular backups (even though I still do them via IMAP on occasion) and disaster recovery. I don't think anyone self-hosting really has this figured out.
On the server itself a cronjob calling rsnapshot [1] is a good habit in the event something gets corrupted or someone deletes mail by mistake and you want to save the day. RSnapshot uses hardlinks to avoid copying the same data to keep the size small which allows for many snapshots. Then a cronjob to call a script that uses either lftp+sftp+mirror or rsync to back up all the important things to a standby node along with a corresponding script on the standby node to quickly copy everything into place and start everything in an idempotent manor can get one back into operation quickly. All of this should be tested quarterly in the event some software update breaks any assumptions.
If running this on VM's in a VPS provider there may be an option in the VPS control panel to swap IP addresses on the active and standby assuming they are in the same region.
Not that helpful if say your server has been attacked by ransomware. Happened to my friend that I was colo-ing with who was running a mailserver at the time. He didn't have proper backups and/or DR (though I think his thick mail client had a copy of most of his mail); he didn't pay and instead moved everything to Fastmail.
If the server has been attacked somehow by ransomware then the sftp backups will be fine. sftp to a chroot sftp-only configuration and rsnapshot running on the remote end means one would have to not notice this for a very long time before all backups are corrupted. I am happy to demonstrate this if need be.
Adding to this time between backups can be shortened by using a different cronjob to utilize inotifywait in a loop and back up to a different or same sftp account achieving both scheduled and ad-hoc snapshots.
Yeah then you need a monitoring solution for your backup, another colo for your DR, etc. You end up with all this overhead that you need to always be on top of, unless you can hire someone that you trust and maintain things for you. It's just better value hosting elsewhere where all these unhappy path scenarios have been careful considered and taken care of. I'm definitely not say use free services either as they do not even come with support, but there's middle ground.
In terms of monitoring I could envision this just being a section of the backup script on the primary servers that perform a dry-run backup and if the delta is massive then something has likely tampered with the files, refuses to do a real backup and sends an alert, text message or otherwise. It would have to be something that people would not ignore.
The sftp backup servers in their script that kicks off their rsnapshot could also count total vs new files and alert if nothing has changed or too much has changed. Each person/org would have to determine what is an unusual time to go without changes assuming the primary mail servers have died due to malware or the new file delta is too big due to files all being tampered with.
My biggest issue with hosted email for awhile was the disconnect that has developed between how most services now seem to bill and how over the now many decades (yeesh!) I've ended up using email. I have my own domains, on a technical level mailboxes ("accounts") are effectively free. So I've used them freely for separating usage (servers and services can all have their own accounts for emailing me notifications, I can use "accounting@mydomain.tld" for financial institutions, etc. For my own servers/services in particular it's good that they have their own isolated email accounts with their own passwords or keys and no ability to spam the world, only email me. It also makes it really easy to use white lists and ensure hard barriers and rules for important stuff so that even if an email address leaks it's irrelevant, and irrelevant in a deterministic manner. I still of course have general addresses that must accept traffic from the world and thus have to worry about spam, but a lot of the most key stuff where I never want to miss a message is from a pretty small circle.
All the typical recommended services though tend to treat mailboxes as the same thing as a person, charging an entire new fee for every single one, and then have hacks like aliases or catch-alls on top. Obviously that works for most and if you're setting up a new workflow can go with that and use other mechanisms for notifications, but for me changing at this point would be brutal. Self-hosted + relay (Amazon SES) works ok though.
That said, I've discovered two nice services (Migadu and MXroute, probably there are more out there somewhere) that charge along my own usage model. Migadu I think has been featured on HN before, and it seems solid. You can make arbitrary accounts under your domain as you wish, the charge is for storage and outgoing mail. So I'm now hybrid, and I could see that making me lazy enough to switch entirely. But I still think knowing how to do it yourself isn't a bad thing, there's some empowerment in having the fallback and remembering how it all works underneath. If nothing else as part of self-hosting you can run your own notifications through it.
There are actual reasons to self host that aren’t discussed here.
1) BEC filters. I run mail servers for several mid size companies that I am part owner of. We are constantly inundated by BEC scammers. But I now have filter lists that block it. You can’t email my staff using any manager or boss’s name and a e-mail that doesn’t match. It basically shuts down the whole BEC scam. I have one business still on Google apps, and we have now had two employees in that business get fooled by the scammers.
2) speed. Amazon AWS SES is great until you want to send 150,000 emails a day. At this point you’re running into issues with network transfer speeds for each request taking too much time, causing the full outbound send to take too long to complete.
My experience says quite the contrary: nowadays you have to be a mail giant to be able to send more than one mail. I.e. policy imposed by Gmail and M365 will keep you at bay from delivering the mail in more copies (e.g. to your subscribers), marking you as a potential spammer.
This may be just cargo culting on my part but when I warm up a new IP for sending mail I first email my mail server from Google, then reply to myself. I do this a few times and then they accept my emails without issue provided I am not emailing many people all at once before the IP has good reputation.
I setup dmarc and immediately had to drop ruf/rua tag from it. For a domain I barely use to send emails, others are sure trying a lot. I was getting too many/much reports and I could do nothing about those shady senders. So I chose to be not dmarc-spammed and set p=reject. Screw it.
Also — I use a mail host provider and I would even think about hosting my mail from “scratch”. And I am never using my domain as a disposable address domain or email per service kinda way ever again. Hell, I might even disable catch-all. Then stick to disposable and privacy email providers like SimpleLogin for the rest.
Self-hosting email is great, if you have plenty of free time to waste, and if you don't particularly care if your messages are delivered.
One little thing the OP failed to mention is that even if you get a "lucky IP address" today, it can be randomly blocked (with no recourse) tomorrow by Google.
MS365 (outlook, hotmail) bounced my emails for a while. Not “classified as spam”, but outright rejected, so you can’t even ask the person to un-spam you, add to contact list, &c.
Luckily, very few people I know use those, and Gmail worked fine. MS365 also works now; I’m not sure what changed.
"Microsoft 365 however apparently will hate your email no matter what. you learn to live with it"
The entire thread is bullshit then, because you simply cannot learn to live without M365. M365 is one of the largest group of recipients, and especially in the business world (and business is where the money is). So I inbox my friends on GMail, but when I send my CV or an invoice to a business, my email is not received. How does that qualify as "self-hosting is easy and doable". The delusion is strong in this one.
I use apple mail and iOS mail. At one point my wife was using whatever Microsoft's email/calendar/contacts app is called but she's long-switched to apple products.
On the server I have sogo running so I also use iCal and the Mac and iOS contacts apps.
Passwords, tokens, and attachments stored on your servers according to your privacy policy. And headers, message bodies, drafts, contacts, and flags if encrypted server cache meant what it sounded like. And telemetry with no choice mentioned.
Ah, I see. Personally, I wouldn’t really consider using a vendor-specific app when the same vendor-agnostic workhorses have been doing their job fine for decades. Never used Fastmail but back when I still used Gmail, you could use it just fine with IMAP and your client of choice.
With Microsoft you need to fill in a form first specifying your IP address and they will whitelist you, at least it used to work like that the last time I set up a new mail serer a few years ago.
The only time I've had to do something like that is when I moved my server to a Colo and the previous owner of that ip address had sent spam and so that ip address was marked as a spammer. I had to go to several places to mark the address clean since there are multiple blacklists.
Why are they calling this a “myth” when they readily admit that even when you are an expert who has been doing it for years, there’s still problems sending to the biggest providers in the world?
There is zero practical difference between “you need to be an expert and you will still fail to get something fundamental working” and “you can’t self-host email”.
> Microsoft 365 however apparently will hate your email no matter what. you learn to live with it
Or you don’t self-host but use a major email provider and don’t have the problem.
> there exist several pieces of folk wisdom:
> - "you cannot run your own mail server in 2025, this is too hard and time consuming" (completely false, i've done this since ~2010 with minimal ongoing maintenance)
This seems completely true according to what they themselves write. It is too hard and time consuming.
> I think the combo of "roll the IP gacha a few times" + "let it sit for 8 months while the VM idles" probably did me a lot of good here
Is letting it sit for eight months not “time consuming”?
> until I cleaned up my IP reputation (which has been awful for almost a decade) Gmail refused to deliver to anything but spam
This is not in any way acceptable to the average person, and it does not meet what most people would describe as “I can self-host email”. “I can self-host email but Gmail sends me to spam” is functionally equivalent to “I cannot self-host email”.