Is self-hosting an email server really that bad?

I looked around quite a bit for any topics on this, but couldn’t find anything. Feel free to point me in the direction of one if i just missed it!

Anyway, I feel like every time I’ve stumbled upon the subject, the common consensus is that self-hosting an email server is difficult, insecure, not worth the effort, etc. But is this actually the case? Is it really any different than hosting other services accessible outside of one’s own network? Is there some glaring issue that I’m missing?

In an ideal world, I’d host all the services that house the bulk of my data, but I’m wondering if that just won’t be viable for email.

I usually hear that from individuals speaking from experience. Personally, my downtime percentages are high enough I know I can’t self-host email. By it’s nature it needs >99.9% uptime. I’m not capable of that, and I imagine you’d have to come up with your own comfort level there.

Well, not really. The mail server on the other end will retry for days (or sometimes longer) if it’s unable to deliver a message to your server. In reality it’s kind of the opposite, email was designed for downtime to occur from the get-go.

Of course if you need to access your email at all times 100% of the time then your server being down wouldn’t be good. But downtime shouldn’t incur message loss by any means.

To answer the OP, I’ve never ever had any issues with self-hosted email when using a Mailcow configuration and following all of their recommendations.

I find that you have to get to a certain level of knowledge to do these kinds of things competently and comfortably.

Two important scenarios come to mind that dissuades me from self hosting email:

• explaining to a judge in your own trial why you missed your subpoena to appear in court in another trial.
• explaining to the bank (or other important institution) that they should refund your money because you did not receive their email warning about suspicious login.

Thanks for your input! However, you didn’t really get at the details of your answer. Can you elaborate a bit further? Why would you be expecting to miss these emails in the first place? What are the drawbacks to self-hosting an email server that would cause such situations?

As @anon89321548 have said, you need a 99.9% uptime, meaning if you decide to self host it, you need to make sure it doesn’t go offline at all, lest you miss important emails.

That and the constant need to patch it for security updates without breaking takes proper knowledge and skill.

Ah, so you disagree with @jonah that emails shouldn’t be missed unless one’s server has days of downtime?

On your point about updates though, this is the type of thing i was trying to get at in my original post. Am I just completely underestimating this? Would updating the server be that different than updating other services I host, or even my computer, especially when using something like the aforementioned mailcow?

Would love examples on both these points, if you have them! Sounds like you have some more experience with this than I do.

I dont work in tech so my knowledge in actual server maintenance isnt good.

Im just an enthusiast that knows just enough to be dangerous. Recently I had a server mishap and lost valuable data.

With this recent event, I can confirm to myself that I should not be trusted with this.

There is also the issue of your messages being marked as spam by the bigger players when you self host from a home lab. IIRC there are ways to mitigate these, but these are additional barriers and obstacles to self hosting. There are probably more issues.

Im not discouraging you have a desire to learn these. But do try to run an email service yourself as practice for a full year before jumping all in with full self hosting with zero knowledge and experience.

Did you self-host at home, or on a VPS? Did you have any emails with your mails being marked as spam?

@jonah - bumping ^ as you seem to be the only one here so far with personal experience. Hopefully not too pushy, I’ve just found out that my current provider is going to remove their free tier in a month so I’m trying to make a decision pretty soon here

For what it may be worth (probably not much), I tried self-hosting my own mail a good few years ago on the cheapest VPS I could find. If memory serves, receiving mail wasn’t too big a deal, but sending always felt fraught with danger. Even with receiving I always had a nagging doubt I’d miss something important, and I could never be confident a message I’d sent to someone had got through. (Just because the e-mail server at the other end accepts it and you can see that in the logs, it doesn’t mean it hasn’t quietly thrown it on the floor or at least dumped it in the recipient’s spam folder.)

It felt like the reality was that even if I was technically in the right (following the RFCs, sending from a static IP which wasn’t used by spammers, etc), e-mail delivery is a game where the actual rules are set by the big boys and as a self-hoster if your e-mail doesn’t get through, tough.

I can understand the desire to keep your data under your own control. Would a compromise be to run your own mail server for accepting deliveries of mail to you, and using an SMTP service provided by one of the “recognised” players to send?

I try to assume e-mail is read in transit by pretty much anyone and everyone. Even if it’s not read in transit, half the time the other end is going to be a Big Tech address and so Google/Microsoft/etc are going to see the content whatever I do. So the main benefit IMO to self-hosting is preventing the e-mail provider or anyone who can hack the service getting hold of my data en masse.

For me, I just try to pay for hosting - in the vague hope that they’re less likely to data mine it if I’m a customer - and try not to keep too much old mail on my provider’s server in case they get hacked - I bulk move it to local folders on my home PC every now and then. I’d probably do the same even with my own server, since it would be online almost constantly and I’m probably less likely to keep it up to date with security patches than a paid provider with 24/7 staff etc.

Thanks for your input! That all makes sense to me. I’ll of course have the same backup email addresses that I already do, and I can probably count the number of emails I send a year on one hand… All-in-all, it’s not sounding like a bad choice when all I want to do is receive emails without having to pay for the privilege, in one way or another.

Hm that makes me wonder, is it even worth it?

I mean you could get a provider like Protonmail, Mailbox.org, Tutanota or Skiff that uses zero knowledge encryption. Of course, there’s still the moment when you receive an unencrypted email or send an unencrypted email where you basically have to trust them to not make a copy of the unencrypted email.

Because in your scenario, you still have to trust the the VPS hoster and (if applicable) the SMTP relay who could also theoretically access your data.

The problem is getting other mail servers to trust you enough. It’s easy to get spam filtered when self hosting.

It’s not bad at all. I self-host my email server for more than a decade with a simple machine at Linode using Dovecot, Postfix, rspamd. Always using industry best practices whenever possible. I use the $12/month option with 2GB RAM, and have also some other productivity tools running on there. Plenty for personal use, and the stability / up-time of Linode is completely fine, there is no email getting lost.

That being said, I’d only ever do it if hosting an email server actually is something you really want to do because you like administering servers. And I wouldn’t host it from home, unless of course you get your own PI IP space and maybe you could peer via a tunnel to some upstream provider. But using the IP addresses from your residential ISP connection is just asking for trouble imo.

Thanks for the input!

Can you give a couple examples?

Do you mean trouble from the ISP not liking it or more from a security perspective? If the latter, can you elaborate?

Mh yeah, not all, but a couple of the most obvious ones would be:

• Secure environment (up-to-date OS, packages, security-hardened config, strict firewall, fail2ban etc.)
• Filter incoming and outgoing mail with rspamd, ClamAV, olefy, DNSBLs or similar tools
• Use SPF, DKIM signatures, DMARC reporting, DANE/TLSA records, MTA-STS policy and monitor reports regularly to ensure correct implementation. Also configure rDNS.
• Fully deploy DNSSEC to own domain and run a resolver that strictly checks it on your server (otherwise DANE checks do not make sense anyway)
• Run some light monitoring of server itself, DNS entries etc. from external to ensure everything is running stable
• Make it obvious for operators of other networks how to contact you in case of abuse etc., even if you would never send any spam

But I also know even in this small basic list there are already some controversial items included, ultimately it makes sense to run your own stuff when you become so opinionated on the tech behind it that you really want to do it yourself I guess.

For an email server, a core issue is IP reputation. IP blocks from ASes used for residential internet access usually are not what you want. You also don’t really want your IP address to be changing ever, which might happen with residential internet access. Also it’s quite unlikely you can configure rDNS correctly for your server. And lastly, chances are other email servers don’t accept email from a residential IP address anyway, even if you’re doing everything by the book.

Whether your ISP cares or not, that completely depends. They probably wouldn’t guarantee a good uptime for a residential internet connection, though. But you might not care, especially for email which is quite robust anyway. The overall chance of ever having an incident where incoming emails are lost is probably a bit higher on a residential connection vs. a professional data center, though.

Security-wise, that’s completely up to you. There are people running crazy elaborate homelabs. You certainly have more room for screwing something up, but it’s not inherently more insecure I guess. Physical security might be worse than a data center, though, because your house assumably has worse access control, is not as fire-proof etc. but off-site backups are a good idea anyway regardless of where you’re hosting.

So to sum up my opinion (again), I would only consider hosting at home:

• with an external IP of the server not from my ISP but instead some other upstream (for example you could rent a cheap VPS to act as a router and then tunnel from your home to there)
• if I had even more time and motivation, and hosting an email server at Linode already consumes a lot of both as far as I’m concerned.

I must admit I have never really looked at stuff like https://mailcow.email or other similar projects, though. Diving into every config file / every little knob that can be turned on my own probably takes me more time than if I’d use some pre-configured solution. But then again, I’d probably also be fine with letting mailbox.org or someone else do all the work for me anyway. Ultimately this of course depends on your motivation. If all you really want is just host an email server for yourself, then the only solution to that issue is doing it despite whatever pro/contry arguments there are.