// 2022-09-17 // by Makkor Jamal

I want to self host an email server

Why would you want to do that?

One day, I was wondering how emails work. Before that, I really did not care to know the multitude of protocols and inherent complexity of email. For me, it was just a utility. You wouldn’t dig a well for water, plant food, or make your own electricity grid; you just open the tap and water magically comes out. You press a switch, and there is light as long as you don’t forget to pay your bills—you are good to go.

I was a satisfied Gmail user for years. Until one day, out of nowhere, Gmail started auto-suggesting word completions for my emails. This sounds like a normal thing at first, but this was no dumb auto-complete. It was highly specific, highly personalized, tailored suggestions. Google officially crossed the creepy line.

Make your email deliverable

So, I decided to host my own email server on a VPS instance. Sending an email is very straightforward; all you need is a program called Postfix and an open port 25, and you are good to go. However, this is not the end of the story—far from it. You can definitely send an email by just installing this program, but it will for sure go to the spam folder of every correctly configured email server on the planet (or worse, be outright rejected). You need a lot of configuration to make your email deliverable.

These hoops to make your email genuine are understandable. Since the first email protocols were built based on trust, email back then was not even encrypted. Yes, you heard it (or read it): email through port 25 goes through as plain text. This trust, however, was abused by spammers and malicious actors. Now, you have to go through multiple hoops to make your email reach a recipient. You have to encrypt it, create an SPF record, sign it with DKIM, and create a DMARC policy for your email. You can Google these terms if you want to know more.

But this is not all of it. Every IP has a reputation, and a fresh IP starts with a neutral one and needs to build one over time. This is done by using your server to do legitimate work and avoiding some security pitfalls, like making your email server an open relay for others to use (by using a specific configuration), limiting the number of sent emails per day, creating an unsubscribe list, etc.

If all of this works out, your email should, in principle, be deliverable to other email services. You can test this by using known email testing services like mail-tester.

mail-tester

Are we done, yet?

Yes, but actually no. Even though my email is in not in any spam database, has a perfect deliverability score, and adheres to all the guidelines from major email hosting services like Microsoft Outlook and Gmail, it is still not delivered to these two—and only these two. My email gets delivered to every other self-hosted or independently hosted email except these two services. So something must be fishy here, and I and other legitimately hosted email servers call bullshit.

What does Microsoft say?

So, obviously, it wasn’t only me who was affected by this issue. A lot of people complained on Microsoft forums about this exact same problem. Their emails, many of them very important client emails, are being sent right to spam. This is bad for business (not Microsoft’s, though). Their reply to this issue is to ask their recipients to add them to a trusted sender list or something like that, which is not a real solution but just an ad-hoc fix. This will force most companies and individuals to use Microsoft Outlook or Gmail services to avoid these deliverability issues, which, as I said, is really good for these two companies. You can definitely trust them to nail security, but privacy—not so much. Microsoft also suggests that you submit a request to sender.office.com to unlist your email from their spam services, but my IP was not even listed there.

sender-office

It is not your fault

If your email is not being delivered, it is not your fault. My theory is that these two companies, since they now have a monopoly on email services, automatically send all new IPs to an invisible filter list, thus forcing companies and individuals to use their own email. But this is just a theory, and I have no way to prove it.