
Ask HN: Is it possible to run your own mail server for personal use? - jdmoreira
Recently I decided that I wanted to run my own MTA. Downloaded qmail, applied a couple of patches and it was done. The problem is making sure my mail is not marked as spam by the major MTAs out there, gmail and hotmail both mark my mails as spam. So far I&#x27;ve:<p>- made sure I&#x27;m not running an open relay (obviously)<p>- made sure a reverse lookup to my IP matches my host<p>- made sure my IP wasn&#x27;t already in any spam IP blacklist<p>- added SPF<p>- added DKIM<p>- run a lot of tests at glockapps.com<p>It&#x27;s still not enough. I don&#x27;t know what else to do, is it possible to run your own MTA, for personal use in 2016? Who, here, is doing it successfully?
======
Nux
It's absolutely possible to run an email server in 2016 and I encourage anyone
capable to do so!

Email is one of the bastions of the decentralised Internet and we should hang
on to it.

Every day more and more people are moving to Gmail/Hotmail/Outlook and while I
do understand the reasons, it also puts more and more power into the hands of
these providers and the little guy (us) gets more screwed (like marked as junk
by default by them :< )

Having said that, here's my check list for successfully delivering email:

\- make sure your IP (IPv6) is clean and not listed in any RBL, use e.g.
[http://multirbl.valli.org/](http://multirbl.valli.org/) to check

\- make sure you have a correct reverse dns (ptr) entry for said IP and that
ptr/hostname's A record is also valid

\- make sure your MTA does not append to the message headers your client's IP
(ie x-originating-ip), messages can be blocked based only on "dodgy"
x-originating-ip (see eg [https://major.io/2013/04/14/remove-sensitive-
information-fro...](https://major.io/2013/04/14/remove-sensitive-information-
from-email-headers-with-postfix/) )

\- set up SSL properly in your MTA, there are so many providers giving away
free certs nowadays

\- SPF, DKIM, DMARC - set them up, properly, this site can come in handy for
checking yourself [https://www.mail-tester.com/](https://www.mail-tester.com/)

\- do not share the IP of your email server with a web server running any sort
of scripting engine - if it gets exploited in any way usually sending spam is
what the abusers will do

\- last but not least - and while I loved qmail and vpopmail - use Postfix or
Exim, they are both more fit for 2016, more configurable and with much, much
larger user bases and as such bigger community and documentation.

HTH

~~~
jwr
> Email is one of the bastions of the decentralised Internet and we should
> hang on to it.

This.

I hope someone will eventually create an "E-mail server in a box" package for
Ubuntu LTS, so that more people can run their own E-mail. I'm not saying it
has to be super-easy for everyone, just that it should avoid unnecessary chore
work (like configuring postfix to always use TLS, or plugging postgrey into
postfix).

~~~
simon_acca
As long as you know Docker, this is pretty much what you are asking:
[https://github.com/tomav/docker-mailserver](https://github.com/tomav/docker-
mailserver). I use it in combination with the rainloop webmail client:
[https://github.com/jprjr/docker-rainloop](https://github.com/jprjr/docker-
rainloop).

Everything is configured with a single docker-compose, read about it here:
[https://news.ycombinator.com/item?id=11748036](https://news.ycombinator.com/item?id=11748036)

~~~
Kequc
What is it if anything that happens if my internet cuts out at my home, should
I instead use some sort of hosting provider for my mail server?

~~~
OJFord

        > What is it if anything that happens if my internet cuts
        > out at my home,
    

You bounce any incoming emails in that period, and (obviously) can't send any.

    
    
        > should I instead use some sort of hosting provider
        > for my mail server?
    

I suppose that's a trade-off against how reliable you consider your ISP and
electricity supply, and the volume or importance of email you'd be likely to
receive in such a period.

~~~
teddyh
Bounce? No. The servers trying to send mail to your server will retry for up
to, typically, four or five days, before _they_ bounce the mail back to the
sender.

Mail was written to be _resilient_ against network downtime.

~~~
robertely
That's why you _soft_ bounce. It tells the sender that you can't receive the
email _at this time_.

~~~
philtar
Pretty sure you can't do anything when you're not connected to the internet.

~~~
sbierwagen
A connection timeout is a soft bounce.

[https://tools.ietf.org/html/rfc5321#section-4.5.4.1](https://tools.ietf.org/html/rfc5321#section-4.5.4.1)

    
    
       The sender MUST delay retrying a particular destination after one
       attempt has failed.  In general, the retry interval SHOULD be at
       least 30 minutes; however, more sophisticated and variable strategies
       will be beneficial when the SMTP client can determine the reason for
       non-delivery.
    
       Retries continue until the message is transmitted or the sender gives
       up; the give-up time generally needs to be at least 4-5 days.  It MAY
       be appropriate to set a shorter maximum number of retries for non-
       delivery notifications and equivalent error messages than for
       standard messages.  The parameters to the retry algorithm MUST be
       configurable.

------
mrb
One little trick that I rarely see mentioned for working around the negative
or neutral reputation your MTA's IP might have is that you can route your
outgoing emails through another MTA that has a higher reputation. For example
route them through smtp.gmail.com (or for other options see
[https://support.google.com/a/answer/176600?hl=en](https://support.google.com/a/answer/176600?hl=en)).
It does not mean you have to use Gmail. It does not mean you have to change
your MX records. It does not mean you have to use a @gmail.com address. None
of that. Your recipients will not even notice you are routing through
smtp.gmail.com (unless they inspect the detailed headers). All you need is a
Google account and password to authenticate against smtp.gmail.com, and Google
will happily route your email to wherever, to any external domains, etc.

Doing this makes you retain all the advantages of running your own MTA: none
of your emails are hosted at a third party provider, no scanning of your
emails to personalize ads, no government agency can knock at the door of an
email provider and ask them for the content of your inbox, etc.

The only downside is that in theory Google can scan and block your outgoing
emails (not incoming emails since these hit your MTA directly). But if you
don't send spam, this should never happen.

Another option is to route your mail through your ISP's MTA. Yes ISPs usually
offer SMTP relay service accessible only from their customer's IP addresses
(eg. for Comcast it is "smtp.comcast.net" IIRC.) However the reputation factor
of an ISP's MTA might be worse than Google's MTA.

~~~
djsumdog
Huh..never thought of this. I run my own e-mail server on a Linode. I have
constant trouble not being classified as spam. I did a whole post on it:

[http://penguindreams.org/blog/how-google-and-microsoft-
made-...](http://penguindreams.org/blog/how-google-and-microsoft-made-email-
unreliable/)

The sad reality is, I'm thinking of moving my e-mail back to someone else. It
might be Fastmail, might be Amazon. Running my own e-mail server is a pain and
I hate having to send people a message on Facebook or Reddit saying, "I sent
you an e-mail. Check your spam folder."

If I route my e-mail through Gmail's SMTP server as a relay, that shouldn't
affect my DKIM/SPF stuff right? I'd just have to change SPF/DMARC to say gmail
is allowed to relay messages for me, correct?

~~~
x0x0
I did a similar thing 2 years ago and chose Fastmail. Their web-app is best of
breed ex google -- unfortunately, the honest truth is nothing is as good as
gmail web + gmail apps + google cal.

Fastmail does have more issues -- lack of fit and finish, their web app is
sometimes buggy, their spam detection is buggy, it's imap, the lack of gmail
style conversations being the fundamental unit of work in the app shines
through sometimes, the gmail app on android does not interact well with
fastmail, etc. However, they have recently fixed my biggest complaints:
charging 11 cents per sms message to do 2fa and their rules interface looking
like it was written as a my-first-javascript project. So it's actively
improving. I like it enough that I recently re-upped for another two years.

They do enjoy one big advantage over google besides privacy: tech support!
Like a human, that reads and responds to issues submitted through their site!
I've contacted them twice with questions about setting up my domain and one
other thing and I got replies, from someone who knew what she/he was doing,
within an hour each time!

Also, they will do a catch-all address (eg xoxo@xoxo.com) which receives email
from every address not specifically defined. Thus you can implement the best
anti-spam technique: every email you give out is domain@xoxo.com which
forwards to you@x0x0.com so you can tell exactly who sold or leaked your email
address. eg latimes@x0x0.com was sold all over the place.

~~~
PaulHoule
I love fastmail. Really I do not like gmail style conversations so I prefer
fastmail over gmail.

~~~
SteveCr48
I too love the FastMail web interface. It rocks! On Android, unfortunately,
FastMail comes up short. I have yet to find a satisfactory solution

------
walrus01
Having a perfect smtpd that speaks TLS 1.2, has properly set up dkim, sfp and
dmarc records, working reverse DNS, etc is sadly not enough these days if you
use a commodity vps/VM host. IP block reputation matters as well. Sadly, some
other customers in your same /24 have been less clueful than you within the
recent memory of major SMTP operators(gmail, office365/Microsoft, etc) and
your IP space probably had a bad reputation.

Reputation perception by opaque large SMTP operators will not show up in RBLs
and other ways to check for blacklists. You cannot query your IP block's
status unless you happen to personally know a senior sysadmin on their mail
operations teams. They don't share this information because it would help
spammers choose new "clean" places to spam from.

One solution is to Colo your own 1u system with an ISP that is known to have
very stringent zero tolerance abuse policies. Typically not one that is a
commodity hoster.

~~~
loup-vaillant
I don't understand. Why this over-reliance on IP based reputation and
blacklist? Aren't Bayesian filters enough? Or maybe people don't know how
"mark as junk" works?

~~~
semanticist
This is at a level before 'mark as junk', where a mail provider will refuse to
deliver your message at all - or potentially even refuse to accept it. The
earlier the mail providers can detect/block spam the less resources they have
to dedicate to storing and transmitting the spam.

~~~
loup-vaillant
Ah, so _cost_ is the reason why the won't let the email through at all… All
those people who mistakenly think email is free… (even gmail is not free: you
pay for it by letting them spy on you and sending you targeted ads).

~~~
quonn
Most people in fact know this and assume they are being tracked everywhere and
they also assume that the service providers (Google, Facebook) can read
everything.

The problem is not that alternatives are too expensive, but that there are no
good alternatives. I would be glad to pay $5/month to Google to get an ad-free
version.

~~~
crasm
There was a recent blog post about migrating from gmail to FastMail on here
earlier this week.

In my personal experience, it's been excellent. I've but using it for about a
year and a half now, receiving from custom domains and sending from their
servers.

Their webapp is better than Google's and it's actually the main reason why
I've stayed with them.

It's also cheaper than $5/mo.

------
hannob
I'm running small scale mail servers. It's not nearly as difficult as the
common folklore makes you believe.

Make sure you don't send spam and your server is properly configured. If you
are sending mails to people that don't want it then it is spam. "They silently
agreed to get our newsletter because it was listed in our ToS on page 357" is
not acceptable. No other excuse for sending spam is acceptable. Whenever you
send any automated mail there must be an easy way to unsubscribe.

A few more tips:

* Check your mail server on [http://multirbl.valli.org/](http://multirbl.valli.org/) \- if it's in any blacklist try to find out why (there are a few rogue blacklists, ignore them).

* Hotmail allows you to receive a report for every mail that a hotmail user thinks is spam. Use that. Act on it.

* Check your logs for messages that indicate that others think you're spamming.

* E-Mail forwarding is a tricky business these days. Avoid it.

I occasionally get dubious spam rejections, but they don't come from the large
hosts. They usually come from some small ISP using a proprietary antispam
solution that gives you no insight what's going on.

My suspicion would be that qmail is your problem. There are a great many
details that a mail software has to get right, qmail often doesn't do what the
email ecosystem expects.

------
ChuckMcM
Absolutely possible but its a battlefield on the Internet so you have to
understand the players. Two things I haven't seen mentioned in all the
excellent advice:

1) Does your ISP let you send email? Some ISP's will not allow any outbound
traffic to port 25 from a non "business" port. They force their users to send
their email to their server, and then they forward it on to the Internet.

They do this with nominally good intentions (it is easier to control spam
generated from their networks), but they also are financially motivated to do
so.

2) Don't try to send mail from a dynamic IP address, you should have (and
would probably pay extra for) a fixed static IP address (V4 and V6).

Dynamic IPs have two problems, one they change and mail receivers don't like
that. Two, they carry with them the abuses people who had the IP address
before committed. So your email may get delivered one day, and then poof you
renew the lease on your IP and get one that is on a black list somewhere.

~~~
loup-vaillant
> _mail receivers don 't like [Dynamic IPs]_

That's an understatement. Reading Hotmail's policy, I saw a blanket _ban_ on
dynamic IP address. Your mail won't even attain the spam box of your
recipient. It will bounce right away. Other big providers probably do the
same.

In many cases to successfully sending a mail from a dynamic IP is flat out
impossible.

------
TheMog
I've been running my own MTA for about 15 years now, so it's definitely
possible without spending the majority of one's waking hours to do so.

Even when I switched mail server IPs twice over the last few years I didn't
run into the issues you ran into. A large part of it depends on where you run
it - if you, say, run it on your home Internet connection that's usually an
immediate strike against you because of the insane number of spammers using
backdoor'd PCs to do exactly that.

The only time I ran an MTA out of my home was when I was on a commercial ISP
with a fixed IP address, that seemed to be good enough for most services
including gmail and hotmail.

These days I run my MTA on a VPS with a reputable hosting provider and don't
seem to have that many issues with outgoing mails marked as spam.

SPF and DKIM are pretty much a must these days, so that's a good starting
point, as are the rest of the precautions you already too. I assume you're
using your own domain, how "old" is that domain? That might also have an
impact giving how many phishers and spammers register odd domains and use them
for a short amount of time. I've used the same domain since about 1999 so that
could make a difference.

I use postfix instead of qmail, but I've used qmail in the past. Both work
well and are easier to configure than sendmail or exim IMHO. On top of that I
do run amavisd/spamassassin/clamav for the incoming emails as well.

One more thing I've got set up that I didn't see in your list is that I've got
TLS set up with a non-self signed certificate for both incoming and outgoing
email. I suspect that this also makes a difference even if the other email
server won't request a client certificate (most, if not all, won't). Certainly
shows up when I send an email over to gmail.

My biggest issues these days are more with incoming email:

\- You'll never get to the level of spam filtering that, say, gmail offers. To
me, that's OK

\- I use greylisting to weed out a lot of the spam that would normally make it
through spamassassin, but unfortunately that's when you find out how many
people have misconfigured servers that bounce emails when they encounter
temporary failures

~~~
dsr_
I've been running my own mail server off of a residential connection since
1998, so... 18 years. I do pay for a static IP, and I switched ISPs away from
Comcast (who had inherited me as a customer) when they abruptly started to
filter inbound port 25 and claimed I had a malware infestation.

For years it was qmail, but when I wanted to use SMTP/SSL as much as possible,
switching to Postfix was easier than maintaining all the qmail patches.

I switched over to Let's Encrypt certs several months ago, and those have been
working out quite well for me.

~~~
mrbill
FYI they don't filter inbound OR outbound port 25 if you're a Comcast Business
customer; in fact I think the _only_ ports they filter for business customers
are a couple of ports only used for remote attacks on MS Windows boxes.

~~~
dsr_
You know how Comcast gets the Worst Company in America award every year or
two? I really don't feel any desire to go back to them.

As far as I can tell Comcast employs a number of very competent network
engineers and an astounding number of horrendous customer service and
executive managers.

------
pflanze
I'm doing it, also using Qmail. I've felt the same pains as you (even started
to suspect that providers might detect mail was being sent by Qmail and
scoring that lower (perhaps (only) spammers are using Qmail today?), but more
probably my network block (Hetzner.de) is the biggest reason for my
difficulties).

Here's what I've done on top of your list:

\- backscatter prevention (using my own [https://github.com/pflanze/better-
qmail-remote](https://github.com/pflanze/better-qmail-remote))

\- do the Google domain verification dance (postmaster tools, configuring
their entry in the DNS); still didn't prevent mails ending up in spam, but who
knows whether it might still have helped.

\- started running mailing lists on it _anyway_ , in spite of me knowing that
mails end up in people's spam folders, and simply tell all new subscribers
that mails first end up in their spam folders and that once they mark them as
non-spam the problem goes away. This seems to be working (people haven't
complained), and will over time hopefully give my server the reputation I
need.

(PS. I'm also still using DJBDNS, with a config generator written in Scheme,
look out for tinydns-scm on my Github)

~~~
jdmoreira
Why would other MTAs have a buff against Qmail?

I'm using maradns for DNS but I respect djb's software a lot. I'm using his
publicfile as an httpd.

I have already added my domains in google's postmaster tools. So far it hasn't
helped much

~~~
derefr
I think the parent's hypothesis was that MTAs would negatively weight any MTA
that isn't the custom ones running on Gmail/Outlook/Yahoo servers.

~~~
jdmoreira
Thanks. Well... that's just terrible.

------
rahkiin
I will not repeat what everyone else has already said, but I can add one
thing. You need to 'warm up' your IP address. You need to send a lot of non-
spam email. MTAs will A/B test it: mark some as spam, mark others as not spam.
Then they see if they get user spam reports or non-junk reports. They don't
know you. The more you send (successfully, if everything is marked as spam by
receivers it won't work), the more they start trusting you.

SparkPost allows the use of dedicated IPs and it has a warm up time. They tell
everything about it in [0].

[0]
[https://support.sparkpost.com/customer/portal/articles/19722...](https://support.sparkpost.com/customer/portal/articles/1972209-ip-
warm-up-overview)

------
jwr
Of course it is. I've been doing it since 2001 or so. It isn't as easy as it
should be, but it isn't that hard, either.

I had problems with mail acceptance only once, when one of my ISPs got me an
IP address that was either used by a spammer in the past, or was in the same
subnet that the spammers used. Other than that, no problems over the past 15
years, and I switched providers and systems at least three times over that
time.

I'd encourage everyone to go ahead and do it. It isn't very hard, cost on the
order of several dollars/euros a month, and you finally own your E-mail. I
find it appalling that most people either use company E-mail (it isn't yours,
anyone can read it, and if you part ways with the company you have a problem)
or Google Gmail (Google does read it, trains its algorithms on it, and targets
advertising based on that).

Don't worry too much about DKIM. It is no longer a good signal anyway, most
spam gets it right.

So, if you're capable of it, go ahead and run your own mail server. I wish
more people did it, so that we could avoid the "big guys" restricting E-mail.
If more individuals ran their own servers, we could democratize E-mail again:
it wouldn't be that easy to just reject E-mail for no good reason.

For the reference, the software I use right now is: Ubuntu LTS, postfix,
postgrey, amavis, dovecot. I rent a virtual server at Hetzner.de.

------
tezza
Linode + Postfix successfully for years.

Reverse DNS very important and the SPF

Linode have excellent setup documentation (
[https://www.linode.com/docs/email/postfix/email-with-
postfix...](https://www.linode.com/docs/email/postfix/email-with-postfix-
dovecot-and-mysql) )

~~~
ctrlc-root
I have been running this setup for a few years now and it's great. I used to
have a problem with GMail rejecting a lot of forwarded emails as spam but I
set up graylisting
([http://postgrey.schweikert.ch/](http://postgrey.schweikert.ch/)) and since
then I haven't had a single email rejected. It probably also matters how long
you've been running your server so I would expect (assuming you're not
actually sending or forwarding spam) to see the number of rejected emails
decrease over time.

~~~
superswordfish
I ran a setup like this for several years but rejected/spam foldered emails
were always a pain, plus a well-appointed mail host uses a fair bit of memory.
I use Google mail now. It's not very expensive, and instant unconditional
delivery to other Google mail users is a pretty nice perk. The nicest thing is
not having the worry in the back of your head that just maybe something has
gone awry with your setup and you are losing mail _right now_.

------
tristor
Yes, it's absolutely possible. I wrote an extensive set of step-by-step
instructions on how to deploy secure email services on top of Debian 7[0].
They still work but are no longer maintained because my current position is
that services like Proton Mail [1] make running your own email services
unnecessary. You're welcome to review and use them, and if anybody wants to
update them to work under Debian 8, PRs are welcome on the Github repo [2]

[0]
[http://securemail.tristor.ro/#!index.md](http://securemail.tristor.ro/#!index.md)

[1] [https://protonmail.com/](https://protonmail.com/)

[2]
[https://github.com/Tristor/securemail.tristor.ro](https://github.com/Tristor/securemail.tristor.ro)

------
bensbox
I am running my own mailserver for several years now and it is quite possible.
The problem is, that your IP is new to the other MTAs and you need a couple of
months to build up the reputation. Services like the one from Microsoft have
forms, where you can delist yourself from their blacklists. Even though you
are not blacklisted, it helps for the reputation if you fill out the forms
with the MTAs you have problems with. Nevertheless it is a constant work (not
much..1 hour per week) to keep up the reputation. Just make sure you are not
loosing the IP when it starts to work out ;)

~~~
jdmoreira
Yes, I think this is a great part of the problem. My IP doesn't have any
reputation. But how do I build one? I send a very small volume of emails, I'm
just one person.

~~~
techsupporter
Send legitimate e-mails to people you know on those services. Ask them to mark
those e-mails as trusted / not spam. Make sure they reply to at least a few.

I've been running my own e-mail server for years. I have DKIM, SPF, PTR, and
everything else set up and my e-mail domains and IP addresses are many years
old. Every so often, Gmail still decides to spam-bin me for a week or so.

------
Kadin
You can do this, and I do this (although not for my personal email, currently,
although I have in the past -- I do it for a club though and it works fine).

If you are not being blacklisted (check the common ones plus AOL, they run
their own), and are using SPF and DKIM, you shouldn't be having problems with
messages getting blocked. That's pretty unusual.

What could be happening is that you might be in an IP range that's
residential; there are some operators who blackhole all messages originating
from "residential" IPs, even if they are not specifically being blacklisted
for bad conduct, and even if they have valid SPF/DKIM records. I think this is
a pretty bullshitty thing to do, and completely out of the spirit of Postel's
Law, to the point where I think anyone who configures a server this way ought
to be forced into a lifetime of Windows XP helpdesk duty. But it's a thing
that happens.

One solution that's worked for me is to get a cheap VPS and run my mailserver
there. It's in an IP block that traces back to a big datacenter, and it seems
to be much more acceptable to various overzealous spam filters than my home
IP.

------
soneil
It's worth checking whether you're running IPv6. It does become very relevant.
e.g., SPF records need to include it, it must also have a good rDNS, etc.

In particular, I know gmail hold IPv6 to higher standards. Some things (e.g.
rDNS) that we traditionally treat as 'should', gmail will treat as 'must' over
IPv6 - it's being treated as a chance to drop a lot of legacy leeway.

I do run my own MTA. It's not high-maintenance, at all. Understand the
pitfalls, iron them out, and then stick with it to build your reputation.
There is no magic bullet - the big providers won't tell us how they measure us
- the best we can do is be well-behaved, stay well-behaved, and adopt modern
standards (TLS, SPF, DKIM, etc) as they're thrown at us.

My best advice is to choose a reputable host. There's a lot of race-to-the-
bottom in the web hosting market, and VPS are turning out no different.
Keeping a clean house is good for your reputation - but so is living in a nice
neighbourhood. It's well worth a couple of bucks extra to find such a
neighbourhood.

~~~
loup-vaillant
> _My best advice is to choose a reputable host._

This sucks big time. We should be able to send email from fucking _home_ , not
beg an external, bigger guy to either do it for us (one's ISP, google…), or
lend us a machine so we can do it from there (Amazon, OVH…).

Email providing is so concentrated right now it is starting so show signs of
network effects —just like more recent (anti)social networks. This is not
right.

~~~
TheOtherHobbes
We should be able to send spam from home.

But if we can send email from random dynamic IP addresses, so can spammers.

And spammers do. I run an MTA (postfix) on a couple of Linodes and I get more
hacky spam-wannabe traffic than I get actual mail.

Postfix is configured to kill it all, so I never see any of it. But the logs
are spam carnage.

My domains are hardly famous, so if you're running a high profile site I can
imagine the problem would be a lot worse.

~~~
loup-vaillant
What I mean is, the originating IP address should not be such an overwhelming
criterion of spamminess. When I receive spam, my most important criterion for
filtering it is pure _content_.

I have a hard time believing spam is such a huge problem we have to use
simplistic filters such as IP bans to deal with them. My email address is
written without obfuscation in the open web (my own website), and my email
clients' filters (Thunderbird or Evolution, depending) are more than enough
once I have trained them a little.

(My domain is probably even less famous, but I do receive cold, non-spammy
email from time to time regarding my blog articles.)

------
sigil
Send a mail from your address to mailtest@unlocktheinbox.com. They send back
an extensive "lint for smtp" report within minutes. I found it indispensable
for debugging a DMARC issue recently.

~~~
njt
I tried this service right now and unfortunately, large chunks of their report
require you to upgrade to a paid version to read it.

mail-tester is free: [https://www.mail-tester.com/](https://www.mail-
tester.com/)

(I'm not affiliated with either of these tools apart from using them.)

------
acd
Was a mail admin for quite a number of years, here is some tips. Check that
the ip address you are running your own mail server from is not black listed.
Nor can the IP hosting the mail server be in a home ip range. This is because
there is spam black lists that explicitly mark home user ip ranges as possibly
spammy.

Check the repuation in the various anti spam blacklists out there * Check IP
in multiple blacklist [http://multirbl.valli.org/](http://multirbl.valli.org/)
* Check server IP on mxtoolbox
[http://mxtoolbox.com/whatismyip/](http://mxtoolbox.com/whatismyip/) * If you
are using home server IP please consider using a VPS with a good IP
reputation. * Consider lookup up ip at Cisco senderbase reputation and check
its score, make sure its consider good.
[https://www.senderbase.org](https://www.senderbase.org) * Lookup ip in
Barracuda repuation
[http://www.barracudacentral.org/lookups](http://www.barracudacentral.org/lookups)
(Cisco and Barracuda is because these are somewhat common antispam services at
edges).

------
ebbv
It's gonna be really hard. I work at a hosting company and our staff has to
work constantly to make sure people's servers get taken off of spam
blacklists, or IP blocks of ours need to get removed, etc. There's a lot of
stuff to navigate out there, basically kludges that have been put in place
because email is just such a terrible, insecure system.

I'm sure if you're willing to put in the effort you can do it. But from my
point of view, I'd probably just get a managed VPS with a hosting company who
will take care of all the headaches of dealing with spam filters for me. They
can be had pretty cheaply and the money is well worth it if you get good
support.

~~~
rhizome
Are the IPs being added to blocklists without ever having sent spam?

~~~
ebbv
The spam filtering companies do make mistakes sometimes. Sometimes someone is
sending out legitimate mail but it's a new IP sending a bunch of mail and they
err on the side of caution.

Or sometimes your IP will just get caught when a spam company decides to spam
flag an entire block of IPs.

I think if OP keeps at it, they will find that it's not worth the hassle and
for a very reasonable amount of money they could have just had a personal
email server where someone else deals with the headaches.

Of course, again, I work for a hosting company so I may be biased here but I'd
probably be saying the same thing even if I didn't.

------
jjnoakes
PSA: If you run your own mail server and use that email address for password
resets, please use a reputable hosting provider and dns provider, and turn on
2FA.

Don't let that often overlooked weak point be the way every one of your
accounts gets compromised. Once they have your email, they have everything
that resets via that email domain.

~~~
sippeangelo
Any recommendations for a reputable name server that has 2FA?

~~~
__david__
I used to just run bind (and then later tinydns) on the same machine that had
the SMTP server, but finding secondaries got really hard (the last really good
one got bought and shut down by dyndns). A couple years ago I switched my DNS
to Amazon AWS's route53 which has been working great, and AWS has 2 factor
authentication (at least for the web console).

------
mehdym
1\. Creating a good IP reputation takes time, get a static IP from your ISP
and gradually increase number of sent out emails.

2\. Having multiple IP addresses and throttling helps if you send bulk emails.

3\. Check email headers of spammed emails, they usually contain valuable info
about the reason of being detected (SPF/DKIM ,...)

4\. Check the contents of your emails and find out spam score of the content.

5\. You can look into commercial solutions like: www.own-mailbox.com

6\. Hillary, if it's you, don't do it again!

------
FollowSteph3
It's possible but it's not worth it unless you have a lot of knowledge about
it or a lot of time and enjoy it. That's why most small to medium companies
outsource this to services like sendgrid, mailchimp, etc.

You can't do everything so you have to pick your battles ;)

~~~
wslh
> That's why most small to medium companies outsource this to services like...

Indeed big companies outsource mail servers too, that was very surprising at
first but reduce [effective and hidden] costs significantly and with a good
SLA they can receive an excellent service.

------
waits
I've been running my own mail server on AWS for about 3 years now. Postfix,
Dovecot, and a Rails app I wrote for webmail. At first I had 0 deliverability
but over time it's improved to near 100%. Just setting up SPF, DKIM, not being
on a blacklist, and building up a reputation of good mail seems to have worked
wonders. I've been wanting to move to DigitalOcean but I don't yet know if
there will be a significant hit on my IP reputation.

Postfix occasionally drops a legitimate incoming email due to a misconfigured
sender, usually from a domain that doesn't resolve to anything, but I just log
those in case I miss something important.

~~~
timdeneau
If you change IP addresses when moving to DigitalOcean it will reset your
reputation and deliverability. Speaking from recent experience.

~~~
lucb1e
Can confirm IP address change will reset 97% of reputation. Domain reputation
is almost negligible and content is also much less important.

------
zzzcpan
> I don't know what else to do

These days you also have to get a bunch of different VPSs and test sending
e-mails from their IPs and choose the ones working. That's what e-mail
marketing companies do. Because a lot of IPs and subnetworks out there have
poor reputation or even completely blacklisted and that reputation is not
generally recoverable.

~~~
pcl
_That 's what e-mail marketing companies do._

... and that, in turn, is why so many IPs have poor reputations.

------
deftnerd
Receiving email is easy. Sending it is much harder.

One of the things that is the most frustrating is that if you end up on a
blacklist, or a large provider decides independently not to trust you, it's
often completely silent when it blackholes all your outbound emails to that
service.

I've just moved over to a hybrid of hosting my own MX servers for incoming
email, and forwarding all my outgoing emails to an email-as-a-service provider
for outgoing messages. Their trusted IPs usually help delivery, and they're
actively paid by their users to have employees making sure that their IP
ranges are whitelisted.

~~~
jdmoreira
I might go down that route. What service are you using? Thanks

~~~
deftnerd
Personally, I use MailGun. They have a generous free tier (10,000 messages a
month) that I've never exceeded for my personal use.

------
tacon
If you are having trouble with Google putting your emails into spam folders,
email to yourself at Gmail. Then examine the original headers ("show
original") and check the authentication header Google adds. It begins:

Authentication-Results: mx.google.com;

and details what it did and did not like about your message. For example, it
let me know my mail server had suddenly started sending over IPv6 (actually,
Google started accepting there and IPv6 had priority) and I only had SPF
records for the IPv4 address. Google's authentication results are the friend
of everyone with a personal mail server.

------
mifreewil
It's been many years since I've run my own mail server, but especially if you
are running your mail server on a public cloud, you should make sure you
aren't on any blacklists like Spamhaus:
[https://www.spamhaus.org/lookup/](https://www.spamhaus.org/lookup/)

EDIT: Looks like this is one of the things
[https://glockapps.com/](https://glockapps.com/) checks.

~~~
jdmoreira
I already did check my IP. It's not in any known list. But thanks :)

~~~
pflanze
Also check the IPs of your neighbours (in the same subnet or network block). I
suspect the big ISPs also look at this, and on Hetzner at least I've found
many neighbours with somewhat spammy IPs.

------
jeffmould
See this discussion:
[https://news.ycombinator.com/item?id=12107688](https://news.ycombinator.com/item?id=12107688)

~~~
e12e
In particular this comment:

[https://news.ycombinator.com/item?id=12109727](https://news.ycombinator.com/item?id=12109727)

about some hard-to-find tools that help with Microsoft mail (Live.com /
outlook.com / hotmail.com etc). There may have been some similar strange link
for Gmail - i only have access to my phone right now, so I can't check my
notes.

I _believe_ that was the thing I was missing from my setup (and it was
frustrating to debug as mail simply disappeared).

Between a (for now) cacert-certificate (which I think is treated as "self-
signed" for most purposes) and SPF - both Google and MS appear to accept my
mail. I've turned off ipv6 - if you want it, it might take some extra work.

I'm planning to move to opensmtp "when I have time" and maybe dbmail for the
store - now I'm on exim and dovecot.

I get little spam - I do have greylisting set up. What I get is generally to
emails leaked in the linked-in and Adobe attacks. I should change those
addresses, and reject/black hole the old ones. But for now it's manageable -
and is filtered out in my "misc" folder by simple address-basrd filtering
(exim .forward file)

(I generally give each site a different mail, se eg my hn profile).

------
galori
If you look at the aggregate of the comments here, I think you get the idea.
Its possible, but you have to constantly work at keeping it going with
reputation, whitelisting, etc. and you'll never get to 100% deliverability
ingoing or outgoing. Probably more like 70%-80%.

The big guys whitelist each other.

There are (very expensive) services for the medium guys, such as [Return
Path]([https://returnpath.com/](https://returnpath.com/)) , that help you keep
good relationship with the various ISPs. With many ISP's they even have a very
specific whitelisting deal where you literally pay to be whitelisted...I think
thats mostly the second tier ones like AOL, Comcast, Yahoo. Gmail for example
doesn't play ball with that - but they will whitelist you if you follow all
the rules and have a good reputation, which someone like Return Path can help
with.

Is the situation shady? Yes. But it rose out of a need for dealing with a real
problem (spam), which you have to admit has gotten under control over the last
10 years.

Bottom lime, I would use a 3rd party service.

------
pja
Yes, absolutely. I do this & have done for a decade or more.

But that decade probably helps - my mail server has kept the same static IP
the entire time, so has a pristine spam reputation.

I added SPF a couple of years ago as otherwise Google was started to look
askance at some of the emails sent from my server but I haven’t bothered with
DKIM (apart from added a DKIM policy that says “I don’t do DKIM” that is). No
problems so far.

Where are you hosting your mailserver? If it’s on a dynamic IP on your home
internet, then you’re on a hiding to nothing. Static IP on a home internet
might be OK, if you can fix your reverse DNS to be something sane rather than
the more usual adsl123455.isp.net or something. Google generally hates reverse
DNS entries that look like consumer internet connections.

If you’re hosting with AWS or another cloud provider, then I believe the only
way to get an server on an IP address that doesn’t come with a terrible
reputation for spam is to cycle through IP addresses until you find one that
works - this is what the big mail delivery companies do I believe.

------
lucb1e
> is it possible to run your own MTA, for personal use in 2016? Who, here, is
> doing it successfully?

Hello, I run my own mail server, though admittedly with an attitude of "your
spam filter thinks I'm spam? That filter is broken; have fun reading your
spambox."

Company email addresses are actually never any trouble anyway, only personal
ones (the free ones like yahoo, gmail and hotmail) are the ones where people
have trouble with broken filters, so I don't think I'm missing out on
anything. And even those filters usually learn (after a few emails to
different accounts on the service) that my IP address is not to fear.

I add SPF records but don't sign with DKIM (too much trouble; I set this up
years ago when I didn't have much experience yet).

The last time I had trouble sending email was with (of course) google apps.
Some company, whose product we were required to use by school, had no privacy
policy so I wanted to ask after it. Sending them an email, google's mail
server outright refused my IP address to deliver a message (this is extremely
rare, usually it goes into a spambox). Google is the only one that can get
away with this, given the near monopoly, without people thinking it's an issue
on google's side. In the end I just didn't send them an email. Also quite
ironic that google, of all companies, is the one standing in the way of my
email trying to ask after a company's privacy policy.

This was half a year ago. Before that I can't remember having issues with
anyone or anything for another year or so. Given how much I use email and how
little spam I receive (catch-all with a blacklist), owning a mail server is
totally worth it. Also because I don't have to accept anyone else's privacy
policy or consider how many people have access to my inbox (I host at home,
not colocated nor VPS).

~~~
takeda
Regarding spam filtering, you actually can get as good if not better than
Google's. I use bogofilter, the main issue though is that when you first start
using it will be quite bad at filtering, you will have to continue to train
it.

I actually use sendmail with bogofilter-milter.pl script (there is also bogom
program with does similar thing) as opposed to usual way of running it with
procmail, it essentially does the filtering at the moment it is being sent to
you and rejects spam right on the spot. The advantage of it is that sender
will get notification that spam was not delivered, also many spammers might
drop you from their lists when they can't deliver spam.

~~~
lucb1e
Using another method (catch-all with a blacklist) I also get better filtering
than gmail can offer. Much less sophisticated and a little more trouble, but
much more effective.

------
dbcurtis
I've been doing it for ages, but I do it a very lazy way. It's so lazy that I
highly recommend it.

Before I explain what I do, I'll just mention that if you run the server that
is the destination of your MX record, then you probably also want to run a
back-up spooler at a remote site for when the connection to the primary
server, or the server itself, is down. Down for security patching, for
instance. Running a rock-solid mail service is kind of a pain, because it
never fails at a convenient time.

So... I let my ISPs handle the high up-time requirement stuff, and let them be
the mail spool as far as the outside world is concerned. Then I pop it down
and requeue the mail on a machine that sits behind my firewall and isn't even
on the front lines of the internet. I run an IMAP server on that. If it goes
down, pfffft, the mail spools up a the ISP for a while and it gets popped down
when my sever comes back up. It actually all works pretty well, but since I
use my ISP's SMTP server for outgoing, all of my e-mail clients have a rather
funky asymmetric set-up. The e-mail setup wizards just don't handle it. At.
All. As long as you remember how to do old-school e-mail config settings, and
can convince the new-fangled e-mail client to let you do a manual config, the
asymmetric server is not much of an issue.

For remote access, I port-forward IMAP in my firewall.

So I should probably modernize this whole kit, but.... I think I mentioned
above that I am lazy.

------
virtualio
The problem is that your ISP has named your home connection with a DNS name
that probably doesn't match with the domain name that you're trying to recieve
and send mail for. There's a workaround by adding a vsp text record to your
DNS. But that's no guarantee that all mayor mail providers will accept mail
from your mailserver as unmarked (rather they'll end up as spam in your spam
folder)

------
calpaterson
I run my own mailserver and have done since ~2012. I don't have DKIM or DMARC
set up but I am using postfix and not qmail. I'm sorry I can't help you with
your delivery problem - except that to say that if you didn't have eg rDNS set
up to begin with gmail might have a negative cache of it. I haven't had
problems with delivery of outgoing mail except to a couple of poorly
administered exchange hosts run by recruitment agencies - which complain about
my mail but confusingly do still deliver it.

Two real problems I have faced...I once (embarrassingly) created a unix user
with test/test credentials for messing about and forgot that my postfix setup
at the time reused unix credentials (ssh was locked down to only allow
specific user to log in). I sent a few million spams a hour for a couple of
weeks, getting my host into all the DNS blocklists. This took some time to fix
(you have to apply to have your host removed from the blacklist). While I'm
sure sending all that spam was annoying to many other people it didn't
actually affect delivery for my mail...so it seems other administrators aren't
using DNS blocklists?

Second, after a while I started to get a lot of spam. Maybe 10 per day. I
tried various things to handle this, including setting up a proper bayesian
spam filter (amavis-new) and using DNS blocklists myself. None of this worked
for me. Greylisting however worked great.

So my suggestions to you: use defence in depth for mail as well as ssh. That
means, fail2ban, different creds for both, unusual ports, user whitelists,
high patchlevels (auto-patch and restart is great for a personal mail server)
maybe client side TLS certs...etc. If you're relying on a single layer of
defence eventually you'll make a mistake with it and then you're in trouble. I
guess that really applies to anything you're trying to secure.

~~~
calpaterson
One idea I just had: inspect the headers of your emails as they are received
in a gmail account. These will often contain diagnostic information that will
help you debug any problems (with SPF/DKIM/etc)

~~~
TheMog
That's a very good suggestion. I pretty much do that every time I make setup
changes.

------
jrnichols
"gmail and hotmail both mark my mails as spam."

And they will continue to do so for as long as it takes for your mail server
to earn a positive reputation. I recently had this problem with gmail after
moving mail servers. there's really nobody that you can contact, gmail doesn't
whitelist mail servers.

You're going to run into this problem with proofpoint, barracuda, postini,
etc...

------
diego_moita
Using Postfix & Ubuntu on a Linode server, they have a very good how-to[0].
The main problem I have is filtering incoming spam on spam-assassin.

[0] [https://www.linode.com/docs/email/postfix/email-with-
postfix...](https://www.linode.com/docs/email/postfix/email-with-postfix-
dovecot-and-mysql)

~~~
extrapolate
Using postgrey[0] fixed this problem for me, a few months back I started
getting hammered with spam and now get virtually zero.

[0]
[https://wiki.centos.org/HowTos/postgrey](https://wiki.centos.org/HowTos/postgrey)

------
hukl
I'm running my own mail server for a couple of years now. I'm using postfix
and dovecot. I have SPF and DKIM set up and I'm using spamassassin, roundcube.

Setting up a working mail server is one of the biggest challenges because so
many components are involved these days and you need to make them play
perfectly together. I'm against using out of the box VM images / installers
because then you don't understand whats going on under the hood. Mail servers
are these kinds of beasts I would suggest to understand as best as possible
before letting it loose on the world.

Its like with security. There is no "Just press this button/Just install this
software and you are secure" solution - There is no easy and convenient way to
run your own mail server without getting really involved with it :)

Just saying this as a warning for everybody who has this thought. I've been
through it and my mail set up is running for 5 years like a charm now. But it
was a steep way to get there :)

------
perakojotgenije
Yes, it is possible. Here's a blog entry [1] I wrote some time ago how to set
up your own email server that will accepted by major MTAs. I use my own mail
server since 2004.

[1][http://draganmatic.com/init/default/show_page/1](http://draganmatic.com/init/default/show_page/1)

------
timdeneau
You also need a DMARC record ([https://dmarc.org](https://dmarc.org)) along
with your DKIM and SPF records.

Be careful testing your configuration when sending emails to the large
providers, you can inadvertently score negative marks against your own
reputation, which is hard to recover from.

~~~
hstrauss
And setup reporting and forensic reporting. I have a domain that seems to be
the default for a botnet, so my daily reports from GMail and Yahoo! always
include at least a few IP addresses attempting to submit as admin@[domain].

The reporting sets my mind at ease that those big guys are blocking it and
that the (low) legitimate volume of mail to those guys is reasonable.

It's also interesting to note that with DNSSEC, DKIM, SPF and DMARC, the
pattern seems to be that some large Chinese mail providers drop DNS responses
to try to overcome the "-all" token in the SPF record and "p=reject" token in
DMARC. At least the reports show that the authentication (by SPF/DKIM) failed,
so that makes me sleep a little better.

Par for the course, I guess. :P

*edit: grammar

------
shirro
I had been running mail servers for a few years but didn't bother with my own
until about 12 years ago. Back then all I needed was an old box in a cupboard,
static IP, mx record and not have an open relay. As you have discovered things
have changed a lot.

I have seen some people do cool things with qmail but unless you have a long
history with it I think you are better off with postfix. Qmail requires a lot
of patches to catch up with the way things are done these days.

It sounds like you have done all the best practice things. A valid PTR record,
valid ssl certificate, SPF, DKIM, DMARC. You generally can't host from home
anymore because your IP will likely be blacklisted so grab a vps and check
your IP is clean. You will want to add ridiculous rate limiting so you don't
get sin binned when someone mails to a group. Adding your IP to dnswl probably
does not hurt.

Even with you doing everything else right it won't get you instant acceptance
somewhere like hotmail. You are going to have to establish a reputation over
time with them. Get an email address at all the free services, send emails,
make as not spam, check their help websites. View full source of received
emails if they let you to see what headers their mail system attached to your
messages.

And ofcourse protect your reputation. If you need to send legitimate bulk
email use someone like mailchimp and let them deal with any damage.

And this is only the outgoing part. You still have to worry about incoming
emails, submission, retrieval, filtering etc.

I do email setups for websites where I need to ensure spam filter free
communication with clients and most business mail system I encounter don't
seem to bother with half the stuff I do. They will deliver all their emails
plain text with no spf or dkim. And they will do brain dead things like having
fake blackhole mx records as some sort of homeopathic spam remedy. And they
all seem to stay in business so perhaps we just overthink this stuff
sometimes.

------
hawat
You can deploy end-to-end solution like zimbra (community version is open
source and free). Has all necessary features (DMARC, SSL, clamav, spamassasin,
and s-mime), really good webmail interface, some "cloud" file storage features
(briefcase!) and more. As more and more people depend on big providers like
google and microsoft with they mail we should advertise as much as possible,
and convert as many as we can to self hosted mail solutions. Mail is last
bastion of free communication. And should last "neutral" as long as is
possible. Big providers are bulling smaller ones marking mail as spam/junk or
blocking entire address spaces on "we thing that we should, and we do as we
thing" policy.

------
Jaruzel
Adding in my 2p's worth of advice here as well. The big thing I think is your
IP. Even if it is 'static', if you are running the MTA from your house, your
IP will be marked as residential, and probably also still 'dynamic' (just made
sticky by your ISP to your Router/Modem).

The best way to give your outgoing mail 'authority' is to relay it through a
smarthost. Some ISPs offer this - All my outgoing mail from the Exchange
server in my Garage routes through my ISPs smarthost - it's the only way I can
be sure that the big webmail hosts (hotmail/outlook, gmail, yahoo) actually
get the mails. If I try to route direct, the mails get blocked.

------
mrbill
I've been doing so for years. Having spent almost a decade in the ISP
industry, I don't trust other providers for anything but transit.

I have a 50/10 connection from Comcast Business with five static IPs. One of
those hosts what used to be a colo box with an ISP in Austin (I'd worked for
them years ago, and had a services-for-colo agreement that lasted until an
ownership change).

For about five years now I've had no problems sending or receiving mail; just
keep a common-sense best practices configuration and do regular checks to make
sure that you're not relaying/sending spam and aren't on any RBLs. "Nux"'s
comment is a good list.

------
swenn
When I was in the same situation some time ago, I used [https://www.mail-
tester.com/](https://www.mail-tester.com/) With the score around 7 or 8, Gmail
didn't mark it as spam anymore.

------
pmlnr
Of course it is. I've been running my for ages; the current setup is postfix,
dovecot, dspam, opendkim, opendmarc. The last IP change was ~1 years ago, the
last domain change is ~1 month, no issues.

A long while ago, when I wasn't running the mail server in lxc, and it was a
server which also hosted web frontends, I got it "hacked" once; a rouge perl
script sent 10s of thousands of emails within an hours. Thankfully, this was
in ~2007, so removing the node from blacklists wasn't impossible.

Anyway: add dmarc, and make sure you have TLS to send/receive. This latter is
probably the most important bit.

------
aabajian
We've used our own mail server to send all email reminders from
www.cronote.com for the past five years. I followed the following tutorial
step-by-step. The hardest thing was understanding how to setup the DNS records
correctly:

[http://flurdy.com/docs/postfix/](http://flurdy.com/docs/postfix/)

It'll take about three hours to get everything working right (and passing spam
checks), but it's a great introduction to running your own mail server, and
when you're done you can simply create an image of the machine to use in the
future.

------
fusiongyro
I just set up mail myself last week. Postfix on FreeBSD over at DigitalOcean.
Did everything you did and was quite frustrated that my wife seemed not to be
getting my email. The thing is, I sent a test email before adding SPF, and
then one before adding DKIM, and Gmail figured out they were all part of the
same "conversation" so because the first one seemed spammy the rest were
penalized.

I made my own fresh Gmail account and messages go through fine. So I'd try
that: make a fresh account from the one you've been testing with, and see if
mail goes through.

------
jghn
I used to and stopped just because it was a pain in the butt to keep my emails
from getting flagged as spam all over the place. Several years ago I switched
to using Dreamhost which was great for a while but I'm running into the same
issues again, an increasing number of popular mail hosts are flagging emails
from me as spam. Likewise Dreamhost has pretty much given up providing
reasonable spam blocking tools.

I'm now considering something like a google organization account, or whatever
it is called, where it's really gmail but with my domain name

------
lisper
I've run my own mail server for >10 years. Getting it set up the first time is
a bit of a chore but one it is running it requires nearly no attention. The
hardest part is keeping your IP address off the spam black lists.

My setup:

Debian Linux + Postfix + Dovecot + a little greylist milter I wrote myself in
Python. Happy to release the code if there's any interest.

I also have a script that automates the process of setting up a mail server
but it's not quite ready for prime time. If anyone is interested in being an
early adopter let me know.

------
vancan1ty
Those of you who run your own email servers -- do any of you run it from a
residential connection with dynamic ip address? Or do you pay extra for a
static ip address/host using a VPS?

~~~
jloughry
I've done it; personally, I pay the extra $5/month for static IP addresses.

Depending on your upstream provider, though, it ranges from difficult to
impossible to get the reverse DNS for "your" static IP addresses set to
something reasonable. Maybe for a business account they would do it...but for
a home connection, forget it. Trouble tickets asking for reverse DNS updates
will be ignored.

------
cookiecaper
No, not really. It's a constant battle to get delisted from spam blacklists
and your site keeps popping back up. Even most companies don't bother with it
anymore.

~~~
lucb1e
> Even most companies don't bother with it anymore.

This is a little bit like "correlation is not causation". Companies are moving
a lot of stuff to the 'cloud', and email is just one of the services that goes
with it. It's simply cost-saving to not have dedicated IT personnel. Even if
hosting your own mail server is easy, you need someone who takes care of it
every now and then (disk full, adding users, blacklist incident once a year,
etc.).

~~~
cookiecaper
Your company is amazingly lucky if it only gets a blacklist incident once a
year, and if that incident is easily resolved.

The internet seems to have decided that if your mail doesn't come from one of
the major commercial mail brokers, it's as good as spam. I ran several private
mail servers for several years before giving up. I'm generally suspicious of
moving to cloud/services, but outgoing email is the one thing that I can
safely say 99% of companies would be better off moving to a service.

------
cmdrfred
I did almost exactly what you describe and it works flawlessly, but I only
send a small volume of mail (my own). Digital ocean droplet $10 a month, but
it would run on a $5 one if you don't also have caldav/sftp/kerberos/vpn/etc
there like me.

Fun Fact: Microsoft Exchange has no native support for DKIM and tons of
business run that in house, often on 'business class' connections without
correct reverse IP records.

~~~
lucb1e
> Digital ocean droplet $10 a month

I don't know whether OP uses a home connection, but that makes a big
difference. It has some pros and cons:

A VPS (with its dedicated IP address):

\- Usually has a good reputation, though you might have bad luck. Switch early
on when you notice this. Doing it later just nullifies any trouble you had
building its reputation.

\- Is hosted somewhere in the cloud. (I used to hate the term "the cloud" but
it's actually pretty apt and funny if you start seeing it as "they have no
idea where their shit is and who has access to it, both physically and network
traffic".)

Hosting at home:

\- Might be trouble with your ISP if you don't live in a country with net
neutrality and port 25 is closed.

\- Gets you a lower reputation score by default, so it takes slightly longer
to build.

\- Gives you full access control over your email.

~~~
cmdrfred
There is also a third option, set up a OpenVPN server and connect the home
hosted SMTP server to the internet though it, gives you the best of both
worlds I figure.

~~~
lucb1e
That might actually be a good idea! I wonder whether a hosting provider or ISP
is more reliable in not snooping SMTP traffic, but assuming that is equal, it
sounds like the best of both worlds indeed.

------
bluejekyll
I used to run my own MTA, and then I get fed up staying ahead of spammers.

I chose postfix which has a lot of off the shelf support for blacklisting and
such, but even so I found that I couldn't stay ahead of spammers and their
(new at the time) techniques like reflection attacks.

Anyway, while it's fun to play with this, unless you want to spend time every
week keeping it up to date, etc., I found it mostly a drain on other better
things I could be doing.

~~~
havetocharge
I too ran my own mail server for years. I wasn't as rigorous as you in
applying patches.. perhaps monthly or quarterly. At the end of the day though,
it was the superiority of the Gmail client that won me back.

------
lazyant
Yes, with the caveat of non-guaranteed deliverability (in other words: one day
out of the blue gmail/hotmail/whoever will drop silently your emails)

------
saynsedit
Gmail blocks based on IP. If you're running off of a dynamic IP at home you're
going to need a smarthost.

If you're running from a VPS you may need a smarthost.

------
cdysthe
Hillary Clinton is the expert here ¯\\_(ツ)_/¯

------
lrusnac
You should think about security though. An interesting article you should read
before deciding to use your own mail domain: [https://medium.com/@N/how-i-
lost-my-50-000-twitter-username-...](https://medium.com/@N/how-i-lost-
my-50-000-twitter-username-24eb09e026dd#.y4aky7iwk)

------
sliverstorm
Make sure you aren't delivering over IPv6. I had all my IPv4 rules set up, and
mail worked fine - except delivering to gmail. Turns out I was delivering over
IPv6. I wound up shutting off my IPv6 interface.

As a good netzien I should work to behave on IPv6, but it was just too much of
a pita for my tiny, single user server which works fine on IPv4

------
bluedino
Ars did a series of articles on running your own mail server:
[http://arstechnica.com/information-technology/2014/02/how-
to...](http://arstechnica.com/information-technology/2014/02/how-to-run-your-
own-e-mail-server-with-your-own-domain-part-1/)

------
gbuk2013
I have been running an Exim4 email server servising several domains for many
years, mostly without issue. I do have SPF configured and it is running on a
commercial VPS server.

For spam defence I use grey-listing based on DNSBL lookups, some standards-
enforcement ACLs and then SpamAssasin via MailScanner on the messages that get
through.

------
mverwijs
Been running it for over 15 years. No SPF. No dkim. Never had complaints,
though threads like these have me worried.

~~~
rhizome
You and me both. I think the risks are overplayed, but at the same time it's
probably about time to join the future with SPF/DKIM/DMARC.

~~~
zbuf
And IPv6 is that future. My resource is that when you start connecting on IPv6
many mail providers will consider SPF and proper reverse DNS mandatory.

------
z3t4
The spam filter is a product. And if it doesn't work, like legitimate mail
getting marked as spam, they will lose business. Just look at Yahoo where it's
currently impossible to get white-listed, who are losing business because of
this. (Yahoo mail was as big as Gmail is now about 15 or so years ago)

------
dboreham
What exactly is happening to your outbound test messages? Is the recipient MTA
accepting delivery but filtering? Are you seeing rejects from the MTA? If so
what's the error? Try sending messages that are ordinary looking (not
"Testing, testing...").

How long has the sender domain been registered?

------
dboreham
What exactly is happening to your outbound test messages? Is the recipient MTA
accepting delivery but filtering? Are you seeing rejects from the MTA? If so
what's the error? Try sending messages that are ordinary looking (not
"Testing, testing...").

How long has the sender domain been registered?

------
darkhorn
In addition to the other things; DNSSEC and then registering your domain for
at least 3 years might help.

------
trentmb
[https://mailinabox.email](https://mailinabox.email)

~~~
jdmoreira
You didn't understand the question. I already have the mail server running.
That's not the problem.

~~~
ViViDboarder
This is probably no help to you, but since you're doing this already, you may
know. Is it feasible to self host your own email server but then use something
like Mailgun for SMTP?

~~~
mfjordvald
Yes. I do this. It gets rid of the spam folder problem while allowing you to
host the incoming email yourself.

~~~
jdmoreira
I might go down this route. Great advice! What service do you use? Thanks

~~~
mfjordvald
I'm with Sparkpost for my personal stuff, at work we use Mailgun.

------
wtbob
I followed Ars Technica's article years ago, and modulo a few minor
alterations, their instructions seemed to have worked pretty well. I will note
that I mostly _receive_ , rather than _send_ email, but I've had no problems
I'm aware of.

------
efesak
Sure! I run several servers (and developing them, see
[https://poste.io](https://poste.io)). Watch DMARC reports and give it little
time, most of time it will solve itself. You can also register to feedback
loop...

~~~
dtmmax33
Definitely recommend FBL for anyone running a newsletter. That way if you do
get a spam complaint you will be notified. Take a look at the list here:
[https://www.port25.com/list-of-current-feedback-loops-
offere...](https://www.port25.com/list-of-current-feedback-loops-offered-at-
isps/)

------
j45
You can run something like Zimbra. I ran my own personal server for almost 15
years and intend on going back to it.

I trusted Microsoft once with my hotmail and they somehow deleted 16 years of
my emails and correspondence with a few friends who passed away.

------
RIMR
Yeah, all you need is a business-class Internet connection (residential
Internet services block mail services), and a server.

I run my own servers both onsite and in the cloud. I have my only little
personal "corporate" network.

------
wfunction
I'm not sure it's a great idea from a privacy viewpoint.

Why should anyone who has ever received an email from you know your IP
address? Especially if it's a home server, that will give them some idea of
where you live.

------
ashitlerferad
It is pretty hard to do:

[https://sfconservancy.org/blog/2015/sep/15/email/](https://sfconservancy.org/blog/2015/sep/15/email/)

------
markvaneijk
One important thing is that for Gmail you need to send your e-mail using TLS.

~~~
nullcipher
Surely you mean SSL (as in TLS) ? SASL is something else.

~~~
markvaneijk
Yes, TLS was what I meant..

------
jwatte
I do that, using postfix.

You need to also run spamassassin, with auto update, and check in with a
number of rbl servers on the receiving side. (This is more important when you
forward aliases to gmail and such)

------
kazinator
I run my own mail server on a dynamic IP. Not being marked as spam is mainly a
matter of how you send mail. Make your next SMTP hop a server of decent
repute. Don't send mail directly.

~~~
darkhorn
Why on dynamic IP? Why?

~~~
kazinator
Why not? It works fine. Doesn't actually change for weeks or months at a time.
Implicit in your ISP hookup; no extra cost. Dynamic DNS takes care of it.

------
qwertyuiop924
Running an MTA isn't too hard, but it's annoying. Postfix, qmail, and
opensmtpd are the easiest to set up. I never actually got POP/IMAP working, so
I have no advice there.

------
jack9
I run my own for my own personal use...not public available accounts. I've
never even looked at SPF, DKIM, or cared if I was in blacklists. I rarely send
mail and receive lots of it.

------
ams6110
Are you running it out of your house (e.g. a residential ISP). If you are
you'll probably never have much success, all the major email providers block
residential IP addresses.

~~~
jdmoreira
VPS provider. Respectable one.

------
SixSigma
Your IP block assigned to domestic suppliers is probably the thing that kills
you.

My VM in the ISP has no issues, but from home, blocked at lots of places.

What you can do is use your ISP as a mail sending relay.

------
yeukhon
Some ISP don't allow SMTP at all. FWIW, if you are hosting on Amazon for
example, you can't run mail server on port 25 from an EC2 until you submit a
support ticket.

~~~
scaryclam
I find this a bit of an odd claim, since I have a mailserver running on port
25 on EC2 right now, without a support ticket, and have no problems.

~~~
yeukhon
Correct and I should have been more careful.

AWS throttle port 25. So for us to use that host as a relay server, we
wouldn't be able to because of the throttle.

[https://aws.amazon.com/premiumsupport/knowledge-
center/ec2-p...](https://aws.amazon.com/premiumsupport/knowledge-
center/ec2-port-25-throttle/)

------
drudru11
Yes - I just started doing it again. I'm glad I did. I just made sure that I
could send/receive mail without issue from the large email systems.

------
jakeogh
Sure. My setup:
[https://github.com/jakeogh/gpgmda](https://github.com/jakeogh/gpgmda)

------
meej
I have been running my own email server on a VPS running slackware and
sendmail for over 3.5 years now and have not had any trouble sending mail.

------
omginternets
Is there a comprehensive guide to running a homebrew end-to-end encrypted mail
server? Something roughly analogous to tutanota or protonmail?

------
timkofu
Have you looked at Zimbra? [https://www.zimbra.com/](https://www.zimbra.com/)

------
mindslight
Postfix, Mail Avenger, Linode, unison, mutt, -spf, -dkim, -dmarc. Fine for
>10yr, although I'm sure the age helps with rep.

------
dstjean
Ask Hilary Clinton

------
janci
Have a look at the message headers when it goes to Gmail or any other target.
There will be a hint, why it gets marked as SPAM.

------
t3ra
Related question : how to get push notifications from a self hosted MTA? The
closest option I know of is app called CloudMagic

------
chmaynard
This has to be the most arcane discussion I have ever read on HN. Fascinating
and terrifying at the same time.

------
z3roblock
Check if your Server is not in RBL list, My company was host SMTP and get add
in RBL very often.

------
cdnsteve
Anyone aware of any newer MTAs built using Python, Go or Node? Maybe with nice
JSON config.

------
igk
Yes, am doing it successfully using the awesome iredmail.

------
ariejan
Try Mail-in-a-Box. It works very, very well :-)

------
guilamu
Anyone here have tried mailpile? Any thought?

------
ABorserker
Check with mxtoolbox.com

------
marmot777
DMARC

------
notadoc
Sure, but do you want another chore?

------
RajkumarOvi
hi

------
meeper16
Sendmail is your friend.

------
miguelrochefort
People like you should be punished.

------
tacostakohashi
Basically not, if you have other things you're trying to do with your life at
the same time.

It's like trying to make a toaster from scratch, or growing your own wheat to
make your own bread. It's possible, but it's also impractical and you'll end
up with a worse result than you can get off the shelf.

------
tootie
I don't know if "run your own" means your own everything, but Amazon SES is a
pretty viable option. Even if it's not, they have a pretty good checklist for
keeping yourself out of spam filters:
[http://docs.aws.amazon.com/ses/latest/DeveloperGuide/deliver...](http://docs.aws.amazon.com/ses/latest/DeveloperGuide/deliverability-
and-ses.html)

------
mindcrash
Grab
[https://github.com/sovereign/sovereign](https://github.com/sovereign/sovereign),
follow instructions, done.

~~~
jdmoreira
You didn't understand the question. I already have the mail server running.
That's not the problem.

