So, you want to self-host your email?

Welcome to the wild world of self-hosted email in the post-sense era.

This is more or less a guide to myself, telling me what I need to think about when setting up a mailserver.

Since I am not willing to run my own DNS server and my provider does not have an API for DNS entries, this process involves adding those entries manually.

UX should be

1. Start the mail server container
2. The startup script will ensure TLS certs and a DKIM key and print it to the console
3. Add DNS records
4. Server is ready to receive/send mail as soon as the DNS propagation is done

Basic Requirements

1. A domain name
2. Access to the DNS/reverse DNS (PTR) records of that domain name/ip address
3. A linux root server

Modern E-Mail security mechanisms

So this here is the very reason why hosting e-mail servers is so complicated.

TLS 1.2 (Transport Layer Security.. duh..)

The TLS Certificate MUST match the domain name in the MX records.

DKIM (DomainKeys Identified Mail)

Each sending domain has a private/public key pair (and selector) and signs each message.

The public key gets published as DNS record.

SPF (Sender Policy Framework)

DNS record for a domain points to the IP address of mail servers that are valid senders

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DNS record that specifies what a receiver should do with messages that didn’t validate

MX (Mail Exchange)

DNS record that specifies which server will receive mail for given domain

PTR (Pointer)

Reverse DNS Record of IP address must point to mail server

MTA-STS (Mail Transfer Agent Strict Transport Security)

Ensures SMTP only talks via TLS 1.2+.

You’ll need to publish a policy file on a sub-domain. And also a DNS record that points to the policy file.

Getting started

For setting up the DNS records, we will need a DKIM key, and DKIM integration is usually the tricky part.

The very first thing we need to do is setup the DNS records.

DNS Records

All of the following records need to be added to the DNS zone of your domain, eg. example.com.

Standard domain to IP mapping

example.com will point to our web/application server

A: example.com -> [IPV4 Address]

AAAA: example.com -> [IPV6 Address]

Setup mail Sub-Domain

mail.example.com will point to our mail server

A: mail -> [IPV4 Address]

AAAA: mail -> [IPV6 Address]

Setup mail exchange

mail.example.org should handle all incoming mails for example.com

MX: example.com -> mail.example.com

Setup SPF

Only accept mails from our mail servers (MX records)

TXT: example.com -> v=spf1 a mx -all

DMARC

Policy: Reject mails that don’t validate, be strict about DKIM and SPF

TXT: _dmarc -> v=DMARC1; p=reject; adkim=s; aspf=s

DKIM

Publish the public key of our DKIM key pair

TXT: [Selector Name]._domainkey -> v=DKIM1; t=s; p=[DKIM Public Key]

PTR (Reverse DNS)

The IP address of our mail server should point to the mail.example.com domain

PTR: [IPV4 Address] -> mail.example.org

PTR: [IPV6 Address] -> mail.example.org

NOTE: You might have to setup reverse DNS records differently from the other ones, depending on your provider.

DKIM Tools

• DKIMProxy - http://dkimproxy.sourceforge.net/
• smtp-dkim-signer - https://pkg.go.dev/github.com/mback2k/smtp-dkim-signer
• go-msgauth - https://github.com/emersion/go-msgauth
• dkimpy - https://launchpad.net/dkimpy/