Man, I wish I had 1% of the motivation I had 20 years ago to do something like this, before all the full time job, wife and child.

I really don’t want to live in a world where only two or three companies run email for the entire world, and this is my little act of resistance.

why Microsoft is so crappy?

I think when we’re building something with “good UX” the major point of “does this remove agency from users” is somehow missing from the picture. When everything runs on some kind of system, it’s not extraordinary to expect people to know how it works and maybe be able to do it themselves.

Otherwise, fast forward a decade of simplifications, and we can’t even install an app without someone on the other side of the world approving the “transaction”.

This is why I have stepped away from a lot of my self hosting. I have turned my attention/time elsewhere. Apparently though the time/money balance is shifting a bit again, so it may be worth it to go back.

My biggest hesitance to self hosting email specifically is dealing with spam. What does that look like these days and do you have any pointers to share?

Postfix can easily be configured to reject incoming emails from senders without a reverse DNS mapping for their IP address, which makes it reject a lot of spam.

For spammers with reverse mapping greylisting still works fine, they almost never retry.

Certain commercial spammers (hello China :-0) use software which can be filtered with a just one rule matching their sending software, which is "nice" enough to display its name in their mail headers.

And last but not least spamassassin / rspamd work fine to filter whatever comes through.

In the end I get less than 10 spam emails per week. And these go into a separate mailbox filtered by good old procmail, based on spamassassin's ratings. I check the spam inbox maybe once a week for false positives and more often than not the box is empty.

Historically some corporate domains ignore that rule (yea, in 2025!), so I would advise not to reject any email and run everything through spam analysis daemon. This way you won't lose any email at expense of elevated load on your server

Overall the mail server is very low maintenance. I had to add SPF and DMARC a couple years ago (DKIM isn't necessary) and integrate TLS with letsencrypt (just a few lines in a config file), and sometimes a Debian upgrade requires reviewing the configuration (several years apart as well). There's really not that much to do.

The biggest issue is getting an IP address which is not in the banned lists. IP reputation is key along with SPF and do not send spam!

In the UK a "business" static IP address is sometimes/usually/probably/might be OK. If you are unfortunate then it is already in the lists and you can check that out at point of sign up.

You might look into IPv6 too. I managed to do the Hurricane Electric IPv6 email thing on my home connection for a laugh. That was a few years ago. It seems I need to do something more to get to Guru status.

Being able to check the server log can be very useful. E.g. to tell someone that their mail was delivered to a served using their domain name, with that IP-address at that time.

1. Because I couldn't ensure consistent backup and restore with regular monitoring,

2. no disaster recovery plan and in doing so it'd be more expensive than going through another email provider,

3. not always on top of security (my friend that I colo'd with also ran an email server and his system was struck with ransomware (with no backup [except a copy of email via thick client] or DR); I seemed to get away unscathed because I was using FreeBSD which generally less of a target).

I agree that it is little maintenance, but once you're off the happy path, it can be a huge pain in the arse and devastating.

email has easily one of the best responses to failure modes ever and its ancient!

Most smtp daemons will put outbound emails in a queue and run the queue. If the other end is unavailable then it will generally retry on a schedule with some sort of increasing period and then give up after a week or so.

You can easily define multiple inbound relays via your MX records which predate SRV and generic TXT and are supported everywhere.

I've run a lot of other people's email, including my own vanity domains for decades. It really isn't rocket science.

Google and MS and Co really don't screw you around if you follow the rules and that largely involves only SPF being compulsory and the rest (DKIM n that) are nice to have. If you do send spam then you will be crucified and rightly so.

Email is not a critical (its important) service because of course you have several other means of communication starting off with the SIP n RTP server you also run ... 8)

I've run a lot of other people's email, including my own vanity domains for decades. It really isn't rocket science.

Again, so have I, and as I said the happy path is always easy, it's when things go wrong, and I'm not even talking about IP reputation or any of the usual issues that people bring up running email.

Email is not a critical (its important) service

Really depends; I still have many services such as banking where I need to use auth codes, also a lot of security is tied to my email in terms of private comms and recovering services.

Suppose your email service went down and the people you run email for complain, do you tell them "oh don't worry it's not a critical service, you can still communicate over other mediums"? Would that work for say gmail?

I have had a Gmail email account since they were invite only back in the day and I run my company email system and by my company I mean my (ie MD) so I'm quite keen on it working.

I recently migrated the whole shebang to MS365 from Exchange on prem. I have kept our MX records pointing to our on prem SMTP daemon (Exim). That means that I can redirect mail to mailboxes as I wish - I am not beholden to MS. Several addresses end up being delivered to an on prem imapd (Dovecot).

Anyway, I did set up DKIM when it was invented and then DMARC and then I ditched them because it messed up with mail lists. That has all been sorted but I still don't have DKIM on my company domain.

I have never setup DKIM on my personal vanity domain collection. The only recent fix I had to carry out was to fix up reverse DNS (PTR record) for an SMTP/MX address. That is proper old school and only one recipient domain even noticed and dropped mail.

The bounce message you received may have said DKIM but it may have been lying or simply that was the last thing that went wrong or whatever.

The big email systems are run by reasonable people who do not discriminate against well run tiddly email systems. They will absolutely crap on spammers inbound (despite hosting them) and IP reputation is king. There are a lot more rules too and it is rare that any transgression is final - pretty much all systems are score based rather than absolute on one failure.

What got me out entirely was when I attempted to send an email to a colleague at a random ass no name university and my email was flat out rejected with no way to reach out to the administrators. I wouldn't have cared if it wasn't such a unique project (oil and gas exploration using ML). I have not self hosted email (in earnest) since that day over 10 years ago.

This is exactly why I only trust myself to do it. I almost lost my gmail account a couple of times in the past, and every time it was quite stressful. Since then, I use gmail as a backup email provider, than is, pretty much never.

Due to the way mail servers work, you have a couple of days to sort out your troubles before you will start missing emails. At worst, you can always buy Google for Work or some other SaaS and point your MX servers there.

Backup is always a hard problem, but I got to live with Hetzer Clould backing up my VMs, Hetzher Backup boxes as restic backup targets and a tiny Celeron server in the laundry closet for local backups.

In theory that makes sense, one thing I specifically omit as to why I stopped running my own service is in the past in a bout of paranoia due to the onset of a mental condition, I literally rm -rf'd my laptop, including a lot of files that were unrecoverable. Thankfully I didn't do this to my server at the time. Even though I've been stable for a long time, all it takes is a relapse (or even just a lapse of judgement) and boom your servers (and backups) become vulnerable.

I also don't trust that I can secure my systems and backups better than a company that dedicates itself to running a service for multiple users and have dedicated security/infrastructure teams. Sure I've never actually had an issue, but as with the anecdote of my friend, it just takes one failure. Also economies of scale helps with security; it is easy for an attacker to exfil or do damage to a smaller corpus of data (few to no customers [users]), than a large corpus of data across 1000s of customers.

I wouldn't trust a free service or a service that doesn't provide adequate support such as Microsoft or Google, but there's obviously a good selection of email providers out there that do an excellent job, much better than those self-hosting because they work with economies of scale.

    $ rubbled 86.54.42.238
    86.54.42.238 zen.spamhaus.org. XBL (exploit)
    86.54.42.238 zen.spamhaus.org. 127.0.0.9
    86.54.42.238 zen.spamhaus.org. SBL (spammers)

Yes, I self-host email. Gmail was routing OpenBSD mailing list traffic to the spam "folder", and self-hosting that email was easier than fighting with some rink-a-dink web UI.

Oh, one time about half the customers were in Google and the other half in Microsoft and Google and Microsoft were having some mail snit so yeah good luck getting some of those mails through. That took a while to clear up, and what can you do?

No delivery problems if you set up everything correctly. It's not luck, just the same reason why well maintained car runs smoother than something that's seen last maintenance 100,000 miles ago.