Setting Up a Self-Hosted Mail Server on a VPS
Practical guide to self-hosting email on a VPS: DNS records, rDNS, SPF, DKIM, DMARC, TLS, spam protection, reputation and common risks.
Introduction
Self-hosting email on a VPS gives you control over mailboxes, routing and server configuration, but it also adds serious responsibility. Email is more sensitive than normal website hosting because deliverability depends on DNS, reverse DNS, IP reputation, authentication, spam filtering, abuse prevention and ongoing monitoring.
A mail server can be technically working and still deliver poorly if rDNS is missing, SPF/DKIM/DMARC are incorrect, the IP has bad reputation, or the server allows abuse. Before self-hosting email, you should understand the requirements and decide whether a dedicated email provider may be safer.
Quick answer
To self-host email on a VPS, you need a stable server hostname, correct reverse DNS, MX records, SPF, DKIM, DMARC, TLS certificates, SMTP and IMAP services, spam filtering, mailbox storage, backups, abuse protection, queue monitoring and clean IP reputation. For many businesses, using Google Workspace, Microsoft 365, Zoho or a transactional provider is easier and safer.
Self-hosted email
A self-hosted mail server is a VPS or server that sends, receives and stores email for your domain.
It usually includes:
- SMTP service for sending and receiving mail
- IMAP/POP3 service for mailbox access
- mailbox storage
- webmail if needed
- spam filtering
- antivirus scanning if used
- TLS certificates
- DNS records
- authentication records
- logs and queues
- user accounts and passwords
Unlike website hosting, email hosting depends heavily on trust. Receiving servers judge your mail based on identity, reputation, authentication and sending behavior.
Should you self-host email?
Self-hosting email is not the best choice for every project.
Self-hosting may make sense when
- you need full control
- you understand server administration
- you can monitor logs and queues
- you can secure SMTP/IMAP access
- you can manage spam and abuse
- you have a clean IP and custom rDNS
- you accept deliverability maintenance
- you need custom routing or internal mail
A hosted email provider may be better when
- business email reliability is critical
- you do not want mail server maintenance
- you need strong spam filtering
- you need easy mailbox management
- you need calendar/contact features
- you want better default deliverability
- you do not control IP reputation
- you do not want to handle abuse
For most small businesses, professional email hosting is usually safer than running a first mail server on a VPS.
Mail server requirements
A self-hosted mail server needs more than just installed software.
- static VPS IP address
- clean IP reputation
- provider allows outbound port 25
- valid server hostname
- reverse DNS / PTR record
- forward DNS for mail hostname
- MX record for domain
- SPF record
- DKIM signing
- DMARC policy
- TLS certificate
- SMTP service
- IMAP/POP3 service
- spam filtering
- secure authentication
- firewall rules
- backups
- monitoring
If outbound port 25 is blocked by your provider, the server may not be able to send mail directly to other mail servers.
Mail server hostname
Choose a stable hostname for the mail server.
Common example: mail.example.com
Good mail identity should include:
- A record: mail.example.com → server IP
- PTR record: server IP → mail.example.com
- server hostname: mail.example.com
- HELO/EHLO: mail.example.com
- MX record pointing to mail.example.com
The hostname should be a real DNS name that resolves correctly, not a random internal hostname.
Reverse DNS and PTR
Reverse DNS maps the sending IP address back to a hostname. For mail servers, this is a basic trust signal.
IP:
192.0.2.10
PTR:
192.0.2.10 → mail.example.com
Forward DNS:
mail.example.com → 192.0.2.10
PTR records are normally controlled by the VPS provider or IP owner. You may need to set it in the provider panel or request it from support.
Verify reverse DNS for your mail server IP
Use Reverse DNS Checker to confirm the PTR record and forward-confirmed reverse DNS for your VPS mail server.
DNS records for self-hosted email
A mail server needs several DNS records to work correctly.
Mail hostname:
mail.example.com. A 192.0.2.10
MX record:
example.com. MX 10 mail.example.com.
SPF:
example.com. TXT "v=spf1 mx -all"
DKIM:
selector._domainkey.example.com. TXT "v=DKIM1; k=rsa; p=..."
DMARC:
_dmarc.example.com. TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com"
These are examples only. Real values depend on your mail server software, DKIM selector, sending policy and provider requirements.
SPF, DKIM and DMARC
Email authentication is required for serious mail sending.
SPF
Defines which servers can send mail for the domain.
DKIM
Signs outgoing messages so receivers can verify they were not modified.
DMARC
Defines policy and reporting based on SPF/DKIM alignment.
Start with a monitoring DMARC policy such as p=none while testing. Move toward stricter policies only after SPF and DKIM are working correctly.
Common mail server software stack
A self-hosted mail server often uses several components.
- Postfix for SMTP
- Dovecot for IMAP/POP3
- OpenDKIM or Rspamd for DKIM signing
- SpamAssassin or Rspamd for spam filtering
- ClamAV if antivirus scanning is used
- Roundcube or another webmail client
- Fail2Ban for brute-force protection
- Certbot for TLS certificates
Mail server bundles and control panels can simplify setup, but you still need to understand DNS, security and reputation.
Security basics
Mail servers are frequent targets for abuse. Security must be configured from the beginning.
- strong mailbox passwords
- SMTP authentication required
- no open relay
- TLS enabled
- firewall allows only needed ports
- Fail2Ban or equivalent protection
- rate limits for sending
- login attempt protection
- regular updates
- secure webmail
- spam filtering
- abuse monitoring
An open relay can be abused to send spam and quickly destroy your IP reputation.
Important mail ports
25 — SMTP
Server-to-server delivery. Receiving and sending mail between mail servers.
587 — Submission
Authenticated mail submission. Common for mail clients sending authenticated mail.
465 — SMTPS
Encrypted authenticated submission where supported.
993 — IMAPS
Secure mailbox access.
995 — POP3S
Secure POP3 mailbox access if used.
143 — IMAP
Usually STARTTLS or internal use.
110 — POP3
Usually avoided unless needed.
Expose only the ports you actually need and secure authentication carefully.
Why this matters
Self-hosted email matters because mistakes are expensive. A misconfigured mail server can lose messages, reject incoming mail, send outgoing mail to spam, expose mailboxes, become an abuse source or get the server IP blacklisted.
A mail server needs continuous maintenance. It is not a set-and-forget service.
How to check a self-hosted mail server
Use MX Lookup, Reverse DNS Checker and email authentication tools before using the server for real mail.
- MX record — Confirm the domain routes mail to your mail hostname.
- A record — Confirm mail hostname points to the server IP.
- Reverse DNS — Confirm the server IP points back to the mail hostname.
- SPF — Confirm the domain authorizes the mail server.
- DKIM — Confirm outgoing mail is signed.
- DMARC — Confirm the policy exists and reports are configured.
- TLS — Confirm SMTP/IMAP use valid certificates.
- Blacklists — Check whether the IP or domain is listed.
- Open relay — Confirm the server cannot relay unauthenticated mail.
Check MX and mail routing
Use MX Lookup to confirm which mail servers receive email for your domain before or after self-hosted mail setup.
Common problems
No reverse DNS
HighThe sending IP does not have a PTR record.
Next step: Ask the VPS provider to set PTR to the mail hostname.
Outbound port 25 blocked
HighThe VPS cannot send mail directly to other mail servers.
Next step: Ask the provider about port 25 policy or use a relay/transactional provider.
MX points to wrong host
HighIncoming mail is routed to the wrong server.
Next step: Update MX to the correct mail hostname.
SPF missing or wrong
MediumReceivers cannot verify that the VPS is authorized to send.
Next step: Publish an SPF record that includes the mail server.
DKIM not signing
MediumOutgoing messages are not cryptographically signed.
Next step: Configure DKIM signing and publish the selector record.
DMARC missing
MediumThe domain lacks policy and reporting for authentication alignment.
Next step: Add DMARC monitoring record and review reports.
Server is open relay
HighUnauthenticated users can send mail through your server.
Next step: Disable open relay immediately and review mail logs.
IP is blacklisted
HighReceiving servers may reject or spam-folder your messages.
Next step: Stop abuse, secure server, clean queue and request delisting.
Weak mailbox passwords
HighCompromised accounts can send spam.
Next step: Enforce strong passwords and login protection.
No queue monitoring
MediumMail can build up silently after delivery failures.
Next step: Monitor mail queue and bounce logs.
How to set up self-hosted email safely
-
Step 1: Confirm provider allows mail
Check outbound port 25, PTR/rDNS support and acceptable use policy.
-
Step 2: Choose mail hostname
Use a stable hostname such as mail.example.com.
-
Step 3: Configure DNS
Set A, MX, SPF, DKIM and DMARC records.
-
Step 4: Set reverse DNS
Request PTR from your VPS provider.
-
Step 5: Install mail stack
Install and configure SMTP, IMAP, DKIM and spam filtering software.
-
Step 6: Enable TLS
Use valid certificates for SMTP, IMAP and webmail.
-
Step 7: Secure authentication
Prevent open relay, enforce strong passwords and protect login attempts.
-
Step 8: Test delivery
Send and receive test mail, check headers, SPF, DKIM and DMARC.
-
Step 9: Monitor reputation
Watch blacklists, bounces, queue and spam placement.
-
Step 10: Maintain continuously
Keep software updated, review logs and maintain backups.
Open relay warning
An open relay is a mail server that allows unauthenticated users to send mail through it. This is dangerous.
Consequences:
- spam abuse
- IP blacklisting
- domain reputation damage
- server suspension
- large mail queues
- provider complaints
- deliverability failure
Before using a self-hosted mail server, verify that it does not relay mail for unauthenticated users.
Backups and mailbox storage
Email data can be business-critical.
Back up:
- mailbox data
- user accounts
- aliases
- mail server configuration
- DKIM private keys
- TLS certificates/config
- spam filter settings
- webmail configuration
Losing DKIM private keys or mailbox storage can create recovery and trust issues. Store backups securely and test restore.
Deliverability expectations
A new self-hosted mail server may not deliver perfectly from day one.
Deliverability depends on:
- IP reputation
- domain reputation
- reverse DNS
- SPF/DKIM/DMARC
- sending volume
- complaint rate
- bounce rate
- message content
- recipient engagement
- blacklist status
Start with low sending volume and monitor bounces. Do not send bulk campaigns from a new VPS mail server without a reputation plan.
Useful mail server checks
Check MX:
dig example.com MX
Check mail hostname:
dig mail.example.com A
Check reverse DNS:
dig -x 192.0.2.10
Check SPF:
dig example.com TXT
Check DMARC:
dig _dmarc.example.com TXT
Check DKIM selector:
dig selector._domainkey.example.com TXT
Check SMTP TLS:
openssl s_client -connect mail.example.com:25 -starttls smtp
Check IMAPS TLS:
openssl s_client -connect mail.example.com:993
Check mail queue on Postfix:
mailq
Check Postfix status:
systemctl status postfix
Check Dovecot status:
systemctl status dovecot
Commands are examples. Replace domains, IPs and selectors with your real values. Some commands depend on installed mail software and network policies.
Frequently asked questions
Can I host email on a VPS?
Yes, but it requires DNS, reverse DNS, authentication, spam protection, security and ongoing monitoring.
Is self-hosted email good for beginners?
Usually not as a first server project. It is more complex than hosting a website.
Do I need reverse DNS?
Yes. A proper PTR record is strongly recommended for any VPS sending email.
Can correct DNS guarantee inbox delivery?
No. DNS is required, but reputation, content, sending behavior and recipient systems also matter.
What is an open relay?
An open relay is a mail server that lets unauthenticated users send mail through it. It is dangerous and should be prevented.
Should I send newsletters from my VPS mail server?
Usually no unless you have reputation management, unsubscribe handling, bounce processing and abuse controls.
What is the safer alternative?
Use a dedicated email provider or transactional email service if reliability and deliverability are important.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all Hosting & VPS guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!