Self-Hosted Email Is Probably a Bad Idea

The Seductive Idea

You’ve got a homelab. You’ve got a server. You’ve got time. Why not just run your own mail server? Independence from Big Tech! Full control! No spam filters silently dropping your emails!

Two weeks later, you’re debugging SPF records at 11 PM, wondering why Gmail keeps rejecting your mail, and someone’s bruteforcing your SMTP port.

I’m gonna save you from that timeline.

Why Mail Is Uniquely Terrible

Email isn’t like running a web server, a database, or a Git repo. Those things are mostly self-contained. Email is this sprawling, ancient, poorly-designed protocol that requires you to play ball with literally everyone else on the internet.

Specifically: you need to convince Gmail, Outlook, Yahoo, and a hundred other mail providers that your random IP address isn’t a spam bot.

Good luck with that.

The IP Reputation Problem

When you send an email from your self-hosted server, Gmail does a lookup. They check:

• Your IP’s reputation (has anyone else on this ISP been a spammer?)
• Your domain’s reputation
• Your SPF/DKIM/DMARC records
• How many emails you’ve sent before
• Whether you’re on any blacklists

If your IP is shared hosting, or your ISP is AWS (which has historically been a spam haven), or if you’re sending from a residential connection, Gmail’s going to be suspicious.

Here’s a real scenario: you’re hosting on a small VPS provider. Yesterday, someone else on that provider got hacked and sent spam. Your IP block got blacklisted. Your emails bounce for the next 48 hours. You didn’t do anything wrong. Doesn’t matter.

The Configuration Nightmare

Running a mail server means configuring:

• Postfix (SMTP — sends mail out)
• Dovecot (IMAP — lets you read mail)
• SPF, DKIM, DMARC (authentication protocols)
• Reverse DNS (PTR records, if your ISP even lets you set them)
• TLS certificates (for encrypted connections)
• Rate limiting (to prevent abuse)
• Spam filtering (Spamassassin, ClamAV, etc.)
• Greylist (to reject spam early)

Miss one of these, and your mail either doesn’t get delivered or gets marked as spam.

Here’s a basic Postfix config:

myhostname = mail.example.com
mydomain = example.com
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mynetworks = 127.0.0.0/8 [::1]/128

# DKIM
milter_protocol = 2
milter_default_action = accept
smtpd_milters = unix:/run/opendkim/opendkim.sock
non_smtpd_milters = unix:/run/opendkim/opendkim.sock

Now you need to generate DKIM keys:

opendkim-genkey -b 2048 -d example.com -D /etc/opendkim/keys/ -s default

Then add a DNS TXT record:

default._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBg..."

And SPF:

example.com. IN TXT "v=spf1 mx include:~all"

And DMARC:

_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"

This is just setup. Maintenance is worse.

The Ongoing Maintenance Tax

Your mail server needs:

• Security patches — every week, something new
• Blacklist monitoring — are you on Spamhaus? Why?
• Disk space — emails pile up fast
• Backups — what’s your recovery plan if the drive dies?
• Updates — Postfix, Dovecot, spam filters, all of it

And the second it breaks, all your email stops working. Not just incoming — outgoing too. Password resets bounce. Notifications disappear. Your apps can’t send alerts.

At 2 AM on a Sunday, you get to debug why Dovecot won’t start because a permission changed.

The Security Headache

Running a mail server makes you a target. Spammers will find it. They’ll probe for open relays. They’ll try to brute-force accounts. They’ll exploit Postfix zero-days.

Meanwhile, you’re running this on a homelab with “homeserver123” as the root password.

Common attacks:

• Brute-force on port 587 (SMTP Auth)
• Dictionary attacks on user accounts
• OpenRelay testing (trying to send mail through you)
• You getting blacklisted because spammers used your server to send spam

Your firewall might block port 25 anyway (most ISPs do).

Why You Actually Don’t Need This

Here’s what you actually need:

For incoming mail: Use a proper mail provider (Protonmail, Fastmail, even Gmail). They have spam filtering, they’re trusted.

For sending from your apps: Use SendGrid, Mailgun, AWS SES, or similar. $5-20/month gets you 100,000 emails. Bulletproof delivery. You’re not responsible for spam reputation.

# Instead of Postfix, just use SendGrid API
curl -X POST "https://api.sendgrid.com/v3/mail/send" \
  -H "Authorization: Bearer SG.xxxxx" \
  -d '{
    "personalizations": [{"to": [{"email": "user@example.com"}]}],
    "from": {"email": "noreply@example.com"},
    "subject": "Hello",
    "content": [{"type": "text/plain", "value": "Hi there"}]
  }'

Done. Reliable. Not your problem.

For your own email: Use a proper provider with proper infrastructure.

If You Absolutely Must

If you’re really going to do this (you shouldn’t), here are the non-negotiables:

1. Static IP address (most ISPs don’t give residential ones)
2. Reverse DNS set up (most ISPs block this)
3. Plan to spend 20+ hours setting it up
4. Plan to spend 2-4 hours per month maintaining it
5. Accept that legitimate mail will sometimes get marked as spam
6. Accept that at some point, you’ll lose emails

Or, and hear me out, use a managed mail provider and spend that time on literally anything else.

Your future self will thank you.