Hosting & VPS Guides

Setting Up a Self-Hosted Mail Server on a VPS

Practical guide to self-hosting email on a VPS: DNS records, rDNS, SPF, DKIM, DMARC, TLS, spam protection, reputation and common risks.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 11 min read Advanced

Introduction

Self-hosting email on a VPS gives you control over mailboxes, routing and server configuration, but it also adds serious responsibility. Email is more sensitive than normal website hosting because deliverability depends on DNS, reverse DNS, IP reputation, authentication, spam filtering, abuse prevention and ongoing monitoring.

A mail server can be technically working and still deliver poorly if rDNS is missing, SPF/DKIM/DMARC are incorrect, the IP has bad reputation, or the server allows abuse. Before self-hosting email, you should understand the requirements and decide whether a dedicated email provider may be safer.

Quick answer

Quick answer

To self-host email on a VPS, you need a stable server hostname, correct reverse DNS, MX records, SPF, DKIM, DMARC, TLS certificates, SMTP and IMAP services, spam filtering, mailbox storage, backups, abuse protection, queue monitoring and clean IP reputation. For many businesses, using Google Workspace, Microsoft 365, Zoho or a transactional provider is easier and safer.

Self-hosted email

A self-hosted mail server is a VPS or server that sends, receives and stores email for your domain.

It usually includes:

  • SMTP service for sending and receiving mail
  • IMAP/POP3 service for mailbox access
  • mailbox storage
  • webmail if needed
  • spam filtering
  • antivirus scanning if used
  • TLS certificates
  • DNS records
  • authentication records
  • logs and queues
  • user accounts and passwords

Unlike website hosting, email hosting depends heavily on trust. Receiving servers judge your mail based on identity, reputation, authentication and sending behavior.

Should you self-host email?

Self-hosting email is not the best choice for every project.

Self-hosting may make sense when

  • you need full control
  • you understand server administration
  • you can monitor logs and queues
  • you can secure SMTP/IMAP access
  • you can manage spam and abuse
  • you have a clean IP and custom rDNS
  • you accept deliverability maintenance
  • you need custom routing or internal mail

A hosted email provider may be better when

  • business email reliability is critical
  • you do not want mail server maintenance
  • you need strong spam filtering
  • you need easy mailbox management
  • you need calendar/contact features
  • you want better default deliverability
  • you do not control IP reputation
  • you do not want to handle abuse

For most small businesses, professional email hosting is usually safer than running a first mail server on a VPS.

Mail server requirements

A self-hosted mail server needs more than just installed software.

  • static VPS IP address
  • clean IP reputation
  • provider allows outbound port 25
  • valid server hostname
  • reverse DNS / PTR record
  • forward DNS for mail hostname
  • MX record for domain
  • SPF record
  • DKIM signing
  • DMARC policy
  • TLS certificate
  • SMTP service
  • IMAP/POP3 service
  • spam filtering
  • secure authentication
  • firewall rules
  • backups
  • monitoring

If outbound port 25 is blocked by your provider, the server may not be able to send mail directly to other mail servers.

Mail server hostname

Choose a stable hostname for the mail server.

Common example: mail.example.com

Good mail identity should include:

  • A record: mail.example.com → server IP
  • PTR record: server IP → mail.example.com
  • server hostname: mail.example.com
  • HELO/EHLO: mail.example.com
  • MX record pointing to mail.example.com

The hostname should be a real DNS name that resolves correctly, not a random internal hostname.

Reverse DNS and PTR

Reverse DNS maps the sending IP address back to a hostname. For mail servers, this is a basic trust signal.

Good reverse DNS setup
IP:
192.0.2.10

PTR:
192.0.2.10  mail.example.com

Forward DNS:
mail.example.com  192.0.2.10

PTR records are normally controlled by the VPS provider or IP owner. You may need to set it in the provider panel or request it from support.

Verify reverse DNS for your mail server IP

Use Reverse DNS Checker to confirm the PTR record and forward-confirmed reverse DNS for your VPS mail server.

Run Reverse DNS Check →

DNS records for self-hosted email

A mail server needs several DNS records to work correctly.

Self-hosted email DNS examples
Mail hostname:
mail.example.com. A 192.0.2.10

MX record:
example.com. MX 10 mail.example.com.

SPF:
example.com. TXT "v=spf1 mx -all"

DKIM:
selector._domainkey.example.com. TXT "v=DKIM1; k=rsa; p=..."

DMARC:
_dmarc.example.com. TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com"

These are examples only. Real values depend on your mail server software, DKIM selector, sending policy and provider requirements.

SPF, DKIM and DMARC

Email authentication is required for serious mail sending.

SPF

Defines which servers can send mail for the domain.

DKIM

Signs outgoing messages so receivers can verify they were not modified.

DMARC

Defines policy and reporting based on SPF/DKIM alignment.

Start with a monitoring DMARC policy such as p=none while testing. Move toward stricter policies only after SPF and DKIM are working correctly.

Common mail server software stack

A self-hosted mail server often uses several components.

  • Postfix for SMTP
  • Dovecot for IMAP/POP3
  • OpenDKIM or Rspamd for DKIM signing
  • SpamAssassin or Rspamd for spam filtering
  • ClamAV if antivirus scanning is used
  • Roundcube or another webmail client
  • Fail2Ban for brute-force protection
  • Certbot for TLS certificates

Mail server bundles and control panels can simplify setup, but you still need to understand DNS, security and reputation.

Security basics

Mail servers are frequent targets for abuse. Security must be configured from the beginning.

  • strong mailbox passwords
  • SMTP authentication required
  • no open relay
  • TLS enabled
  • firewall allows only needed ports
  • Fail2Ban or equivalent protection
  • rate limits for sending
  • login attempt protection
  • regular updates
  • secure webmail
  • spam filtering
  • abuse monitoring

An open relay can be abused to send spam and quickly destroy your IP reputation.

Important mail ports

25 — SMTP

Server-to-server delivery. Receiving and sending mail between mail servers.

587 — Submission

Authenticated mail submission. Common for mail clients sending authenticated mail.

465 — SMTPS

Encrypted authenticated submission where supported.

993 — IMAPS

Secure mailbox access.

995 — POP3S

Secure POP3 mailbox access if used.

143 — IMAP

Usually STARTTLS or internal use.

110 — POP3

Usually avoided unless needed.

Expose only the ports you actually need and secure authentication carefully.

Why this matters

Why this matters

Self-hosted email matters because mistakes are expensive. A misconfigured mail server can lose messages, reject incoming mail, send outgoing mail to spam, expose mailboxes, become an abuse source or get the server IP blacklisted.

A mail server needs continuous maintenance. It is not a set-and-forget service.

How to check a self-hosted mail server

Use MX Lookup, Reverse DNS Checker and email authentication tools before using the server for real mail.

  1. MX record — Confirm the domain routes mail to your mail hostname.
  2. A record — Confirm mail hostname points to the server IP.
  3. Reverse DNS — Confirm the server IP points back to the mail hostname.
  4. SPF — Confirm the domain authorizes the mail server.
  5. DKIM — Confirm outgoing mail is signed.
  6. DMARC — Confirm the policy exists and reports are configured.
  7. TLS — Confirm SMTP/IMAP use valid certificates.
  8. Blacklists — Check whether the IP or domain is listed.
  9. Open relay — Confirm the server cannot relay unauthenticated mail.

Check MX and mail routing

Use MX Lookup to confirm which mail servers receive email for your domain before or after self-hosted mail setup.

Run MX Lookup →

Common problems

No reverse DNS

High

The sending IP does not have a PTR record.

Next step: Ask the VPS provider to set PTR to the mail hostname.

Outbound port 25 blocked

High

The VPS cannot send mail directly to other mail servers.

Next step: Ask the provider about port 25 policy or use a relay/transactional provider.

MX points to wrong host

High

Incoming mail is routed to the wrong server.

Next step: Update MX to the correct mail hostname.

SPF missing or wrong

Medium

Receivers cannot verify that the VPS is authorized to send.

Next step: Publish an SPF record that includes the mail server.

DKIM not signing

Medium

Outgoing messages are not cryptographically signed.

Next step: Configure DKIM signing and publish the selector record.

DMARC missing

Medium

The domain lacks policy and reporting for authentication alignment.

Next step: Add DMARC monitoring record and review reports.

Server is open relay

High

Unauthenticated users can send mail through your server.

Next step: Disable open relay immediately and review mail logs.

IP is blacklisted

High

Receiving servers may reject or spam-folder your messages.

Next step: Stop abuse, secure server, clean queue and request delisting.

Weak mailbox passwords

High

Compromised accounts can send spam.

Next step: Enforce strong passwords and login protection.

No queue monitoring

Medium

Mail can build up silently after delivery failures.

Next step: Monitor mail queue and bounce logs.

How to set up self-hosted email safely

  1. Step 1: Confirm provider allows mail

    Check outbound port 25, PTR/rDNS support and acceptable use policy.

  2. Step 2: Choose mail hostname

    Use a stable hostname such as mail.example.com.

  3. Step 3: Configure DNS

    Set A, MX, SPF, DKIM and DMARC records.

  4. Step 4: Set reverse DNS

    Request PTR from your VPS provider.

  5. Step 5: Install mail stack

    Install and configure SMTP, IMAP, DKIM and spam filtering software.

  6. Step 6: Enable TLS

    Use valid certificates for SMTP, IMAP and webmail.

  7. Step 7: Secure authentication

    Prevent open relay, enforce strong passwords and protect login attempts.

  8. Step 8: Test delivery

    Send and receive test mail, check headers, SPF, DKIM and DMARC.

  9. Step 9: Monitor reputation

    Watch blacklists, bounces, queue and spam placement.

  10. Step 10: Maintain continuously

    Keep software updated, review logs and maintain backups.

Open relay warning

An open relay is a mail server that allows unauthenticated users to send mail through it. This is dangerous.

Consequences:

  • spam abuse
  • IP blacklisting
  • domain reputation damage
  • server suspension
  • large mail queues
  • provider complaints
  • deliverability failure

Before using a self-hosted mail server, verify that it does not relay mail for unauthenticated users.

Backups and mailbox storage

Email data can be business-critical.

Back up:

  • mailbox data
  • user accounts
  • aliases
  • mail server configuration
  • DKIM private keys
  • TLS certificates/config
  • spam filter settings
  • webmail configuration

Losing DKIM private keys or mailbox storage can create recovery and trust issues. Store backups securely and test restore.

Deliverability expectations

A new self-hosted mail server may not deliver perfectly from day one.

Deliverability depends on:

  • IP reputation
  • domain reputation
  • reverse DNS
  • SPF/DKIM/DMARC
  • sending volume
  • complaint rate
  • bounce rate
  • message content
  • recipient engagement
  • blacklist status

Start with low sending volume and monitor bounces. Do not send bulk campaigns from a new VPS mail server without a reputation plan.

Useful mail server checks

Useful mail server checks
Check MX:
dig example.com MX

Check mail hostname:
dig mail.example.com A

Check reverse DNS:
dig -x 192.0.2.10

Check SPF:
dig example.com TXT

Check DMARC:
dig _dmarc.example.com TXT

Check DKIM selector:
dig selector._domainkey.example.com TXT

Check SMTP TLS:
openssl s_client -connect mail.example.com:25 -starttls smtp

Check IMAPS TLS:
openssl s_client -connect mail.example.com:993

Check mail queue on Postfix:
mailq

Check Postfix status:
systemctl status postfix

Check Dovecot status:
systemctl status dovecot

Commands are examples. Replace domains, IPs and selectors with your real values. Some commands depend on installed mail software and network policies.

Frequently asked questions

Can I host email on a VPS?

Yes, but it requires DNS, reverse DNS, authentication, spam protection, security and ongoing monitoring.

Is self-hosted email good for beginners?

Usually not as a first server project. It is more complex than hosting a website.

Do I need reverse DNS?

Yes. A proper PTR record is strongly recommended for any VPS sending email.

Can correct DNS guarantee inbox delivery?

No. DNS is required, but reputation, content, sending behavior and recipient systems also matter.

What is an open relay?

An open relay is a mail server that lets unauthenticated users send mail through it. It is dangerous and should be prevented.

Should I send newsletters from my VPS mail server?

Usually no unless you have reputation management, unsubscribe handling, bounce processing and abuse controls.

What is the safer alternative?

Use a dedicated email provider or transactional email service if reliability and deliverability are important.

Use these free tools to verify your configuration after applying changes.

Browse all Hosting & VPS guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.