ProtonBlog(new window)
Subscribe by RSS

How to set up a private email server

Ben Wolford(new window)

Share this page

Setting up your own private email server puts your email infrastructure under your control.

This can be great for privacy since it cuts out big email service providers like Gmail and Microsoft Outlook, which can access and misuse your data. On the other hand, if you don’t set up and maintain your email server correctly, you put yourself at serious risk of security or deliverability issues.

There is a third option beyond using Big Tech companies or creating your own email server: Use a privacy-focused email provider. Proton Mail preserves your privacy with end-to-end encryption(new window), while also applying the latest technology to keep your email reliable, fast, and safe from attacks.

We’ll cover some of the alternatives to hosting your own email server toward the bottom of this article. But if you do decide you want to take the DIY path, this article describes the steps to set up a server to give you an overview of everything that’s involved.

What is a private email server?
Advantages
Disadvantages
How to set up a personal email server
Alternatives to setting up a personal email server
How Proton Mail gives you better privacy and reliability
Appendix: Email systems comparison

What is a private email server?

A private email server is a system of computer hardware and software for sending, receiving, and storing emails operated by an individual. The “private” in “private email server,” simply refers to the fact that you own it. You can buy email server hardware and software at any number of tech stores. In a later section, we’ll cover the option of renting server space.

If it’s just for your personal use, your email server only needs a small amount of RAM and 20 GB of storage. This means you could even use a dedicated laptop if you don’t want to pay for more advanced hardware.

Advantages of setting up a private email server

There are advantages to setting up your own private email server.

  • The major advantage is that you bypass the big email service providers like Gmail(new window) and Microsoft Outlook. That means you protect your email data from being mined for ad targeting, training AI, or any other uses Big Tech companies decide they want to try down the road. You also cut out the risk that they will give your email data to government agencies or any other third parties.
  • There are other advantages apart from protecting your data from Big Tech. By setting up your own private email server, you can tightly control and limit the network the server is connected to, decreasing your attack surface.
  • You can also encrypt the entire device in case someone physically seizes it.

Disadvantages of setting up a private email server

There are significant disadvantages to setting up your own private email server.

  • First, it requires a certain level of technical knowledge. If you don’t already know how to configure servers and secure them, you’ll need to invest a significant amount of time to learn from trusted sources. There are many how-to sites on the internet that do not have your best interests at heart or simply get things wrong.
  • Second, setting up your own secure mail server(new window) takes dedication and ongoing work. You need to stay up to date on the latest threats, security advisories, and any available patches. You need to monitor your server for hardware and software problems that could result in data loss or less than 100% uptime.
  • Third, if your server malfunctions or needs to be repaired, you will temporarily, or maybe even permanently lose access to your emails. While relying on only one server may reduce the target area for attacks, it does increase the likelihood and impact of infrastructure failure. Even if you have a backup server, you can run into major trouble.
  • Fourth, email deliverability will depend on the uptime of your ISP and network connection to them. Lose internet connectivity for a week due to a bad storm? You will almost certainly lose some emails forever in this situation. Many ISPs also block outgoing traffic on port 25 for residential customers as a spam-prevention measure. This port is used to send outgoing email via SMTP, and without it you will not be able to host a residential email server at all.
  • Fifth, you will have to allow the entire internet to connect to your mail server on port 25 (the default SMTP port) if you want to receive email from everyone. This opens up a host of security risks to your server but also to your home network in general. Enabling mobile email access from your phone will require opening yet more ports to the outside world. If you are not very familiar with firewalls this can severely compromise your home network’s security and that of any attached devices.
  • Sixth, both IP and domain reputation matter for email deliverability. And IP reputation in particular is difficult to build with low e-mail volume and for known residential IP ranges. Much of your outgoing email may go to spam, at least initially, or be rejected outright.
  • And finally, having a private email server in your own home may not be the safest physical location for it. While you may have more control over it physically, storing it in a residence introduces new risks, including theft, fire, flooding, curious pets, and rowdy kids.

How to set up a personal email server

Below are the broad steps for how to host your own email server. You should make a detailed plan for each step before you start the project. 

Buy hardware

As you begin to consider your hardware purchases, you will first need to gather some information. This includes:

  • Use case: How many people do you expect to use your email server, and do you plan to grow?
  • Required availability: Do you need one server or more than one? Do you need a single power supply or multiple?
  • Hosting requirements: What kind of server do you need? How many uplinks will be provided and at what speed? Which network card and how many?
  • Budget: Owning your own hardware also introduces the possibility of replacements and repairs. If you need new hardware, you might need to factor in extended email downtime. Replacing equipment can cost hundreds or thousands of dollars per incident.

Keep in mind that your hardware will need to be compatible with your operating system. Most email servers run on Linux, and a smaller proportion run on Windows. 

Get a static IP address with unblocked SMTP ports

You cannot use a regular residential IP address for your email server. These are typically blacklisted from other email servers to create a kind of firewall from infected home computers spewing viruses.

Contact your internet service provider to purchase a plan that comes with a static, public IP address that is not blacklisted. Make sure the IP address comes with unblocked SMTP ports, since those are the ports you need to run an email server.

Purchase and set up a domain

Go to a site that sells domains and pick out one you like. Your custom email domain(new window) is what appears at the end of your email address (unless you use a proxy) so choose carefully. Your email address will look something like hello@exampledomain.com.

Once you have purchased the domain, if you do not want your personal data to be available on the public register database, you can use a privacy protection service. Most sites that sell domains offer this service. They will put their information in the public registrar as a proxy for yours.

Next, you need to activate a DNS service. Most sites that sell domains also offer DNS service, but you might want to set this up through a separate provider to prevent a single hack bringing down both your domain and DNS. Once you have a DNS provider, fill in the DNS fields for your domain: A, MX, and TXT records. (Your PTR records are associated with your IP address and can be managed elsewhere.) Be sure to add SPF, DKIM, and DMARC records in a TXT record field to prevent email spoofing(new window).

Obtain a TLS certificate

The TLS certificate(new window) is what allows you to encrypt your emails as they are transferred over the internet. This certificate cannot be self-signed. If it is, other email servers will reject emails coming from yours. You must get a valid TLS certificate from a Certificate Authority such as Let’s Encrypt and monitor that it remains valid over time.

Choose email server software

Now that you have the network basics set up, it’s time to pick the email server software you want to use.

There are three general roles of email server software: Mail User Agent (MUA), Mail Delivery Agent (MDA), and Mail Transfer Agent (MTA). Some software packages handle all three roles, some software packages cover parts of different roles, and some software packages only provide a few of the services included in one role. It is up to you to mix and match your email server software, depending on what fits your needs best.

Mail User Agent (MUA)

A Mail User Agent is the software that provides the user interface for emails. It is also called an email client or an email reader. Examples include Thunderbird, Airmail, and Outlook. The mail user agent can be a device-based application and/or a web-based application.

Depending on the software you choose, you will need to configure it based on your needs. Pay special attention to privacy and security configurations, as well as compatibility requirements from the MUA.

Mail Delivery Agent (MDA)

A Mail Delivery Agent, or the message delivery agent, is what delivers the email message into a local inbox. Typically you can configure it to use the POP protocol or the IMAP protocol(new window) for fetching emails. IMAP is usually preferred because it allows managing and organizing a single mailbox from multiple devices.

If your private email server has very limited storage, you may want to opt for POP since it takes up less space (the emails are stored on the MUA on the user’s device rather than on the server).

Examples of software that cover the Mail Delivery Agent role include Dovecot, Qpopper, Courier, and Cyrus IMAP.

Mail Transfer Agent (MTA)

A Mail Transfer Agent sends emails out using SMTP (Simple Mail Transfer Protocol). When you are configuring your SMTP parameters, consider limiting your banner so you are not broadcasting details about your system or identification.

As you set up your MTA, make sure DKIM, SPF, and DMARC records are configured correctly in DNS and that for DKIM the corresponding keys are installed correctly in your MTA. You may have to go back to your DNS settings to manually update the TXT fields with the data created by your software’s DKIM, SPF, and DMARC functions. This is critical to making sure your outgoing emails are not rejected as spam by recipient programs.

For incoming mail, you will need to set your MTA configuration to check for DKIM, SPF, and DMARC from senders or set thresholds to rank incoming mail.

Examples of software that cover the Mail Transfer Agent role include Postfix and Exim.

Install spam filter and virus protection

If none of your email server software comes with a spam filter or virus protection, you need to add those to your email server.

Examples of spam filters are programs like SpamAssassin or Rspamd.

For an example of a virus protection program, you can check out ClamAV.

Alternatives to setting up a private email server

If the above sounds too involved for you, there are some alternatives to setting up a personal email server that require far less technical expertise and investment.

Renting from a hosting provider

You can rent a private email server from a hosting provider. This does not mean you rent the hardware to bring home. You rent the use of a server, often located in a warehouse full of stacks of servers. If you can (although often you are not given this level of transparency), make sure to pick a hosting provider that has strong physical security at its warehouse and is in a country with good privacy laws.

The benefit of renting an email server is that it can eliminate some of the work on your end. For example, it is likely that the server provider already has a business-level IP address and unblocked ports ready to go for your email server.  

If you’re renting from a full-service hosting provider, they can do all the setup and maintenance for you, across the board.

One downside to all this, of course, is that you lose some control. For example, if a problem comes up with your email server’s IP address, you will not be able to address it with the internet service provider; only the server provider who owns the ISP account will be able to do that.

The biggest downside, though, is that most hosting providers do not provide end-to-end encryption(new window) of your emails. Like a landlord, the hosting provider gives you a lock, but they keep a copy of the key. This presents a similar disadvantage as using Big Tech email service providers.

Using a secure email provider

If you want to leave all the technical implementation to experts while also having your email data encrypted on servers at all times, the best alternative is an end-to-end encrypted email provider. There are well-established options, including Tuta (formerly Tutanota) and Proton Mail(new window), the world’s largest encrypted email provider with over 100 million accounts.

With end-to-end encryption, your emails are secured using your recipient’s public key(new window) on your device itself, before anything is even uploaded to an email server. This means no one else (other than your recipient) has access to your data at any point, including your email provider. Even if there were a data breach or the government legally forces the provider to turn over data, all they will see is cryptotext that they cannot decipher.

How Proton Mail gives you better privacy and reliability

Proton Mail is the largest encrypted email provider in the world. When we launched Proton Mail in 2014, we set out to solve many of the problems email self hosting attempts to address: data ownership, privacy, and freedom from Big Tech surveillance.

Specifically, Proton Mail offers a unique combination of benefits you can’t get by self hosting or using any other email provider:

  • End-to-end encryption — As discussed above, Proton Mail encrypts your data on your device before sending it to our servers, so we can’t see your messages or attachments.
  • Zero-access encryption — When someone emails you from a non-private email server, such as Gmail, we encrypt the message immediately using your public key, so only you can decrypt it. Learn more about zero-access encryption.(new window)
  • Swiss privacyProton is based in Switzerland(new window), so your data is protected by some of the world’s strongest privacy laws. We are not subject to US or EU legal jurisdiction.
  • Reliability — Our service level agreement(new window) (SLA) guarantees 99.95% uptime, which is among the best available. Additionally, we create multiple backups of your files in geographically separated data centers, so even if there were a natural disaster, you will not lose any data.
  • Customer support — As a member of the Proton Mail community, you not only get guaranteed uptime you also get our award-winning support team that can help you with any problems. One of the biggest drawbacks of hosting your own email server is maintenance; with Proton Mail, our team takes care of everything for you.
  • Advanced security — Proton Mail uses many layers of security to protect your inbox, starting with your account security all the way to the physical security of the servers we own and operate. Your Proton Account comes with multiple tools to defend against hackers, and we’ve implemented state-of-the-art encryption techniques, such as elliptic curve cryptography. Learn more about Proton Mail security.(new window)
  • Transparency — Unlike many Big Tech email providers, all our code is open source(new window) and independently audited by security experts. As scientists, we believe in transparency and peer review.

Finally, Proton is community-supported. We make money from subscriptions, not advertising, so our only obligation is to protect your data and provide you with high-quality service. As over 100 million people have created Proton Accounts, we have expanded our services to include calendar, cloud storage, VPN, and password manager — all part of our mission to create an internet where privacy is the default.

It’s free to sign up and start using all these services, and it only takes a few seconds. Create an account to get started.

Appendix: Email systems comparison

Below are three diagrams illustrating the way data is handled in different email systems. The first shows how Big Tech companies easily access your data. The second shows Proton Mail’s implementation, which encrypts email messages locally before sending them to the server. And the third depicts a typical private email server setup, which preserves privacy at the expense of security because emails are not end-to-end encrypted by default.

Big TechPrivate email serverRenting from hosting providerProton Mail
Protects your data from AI, targeted ads, and other data harvestingNoYesYesYes
Uses end-to-end encryptionNoNoNoYes
Has extensive server infrastructure to guarantee up timeYesNoNoYes
Hardware is included and ready to useYesNoYesYes
Keeps software up to date, including security updatesYesNoMaybeYes
You must purchase and set up domainNoYesYesNo*
Non-residential IP address and open ports includedYesNoYesYes
Free to useYesNoNoYes

*Proton Mail offers support for custom email domains

Secure your emails, protect your privacy
Get Proton Mail free

Related articles

Secure, seamless communication is the foundation of every business. As more organizations secure their data with Proton, we’ve dramatically expanded our ecosystem with new products and services, from our password manager to Dark Web Monitoring for cr
what is a brute force attack
On the subject of cybersecurity, one term that often comes up is brute force attack. A brute force attack is any attack that doesn’t rely on finesse, but instead uses raw computing power to crack security or even the underlying encryption. In this a
Section 702 of the Foreign Intelligence Surveillance Act has become notorious as the legal justification allowing federal agencies like the NSA, CIA, and FBI to perform warrantless wiretaps, which sweep up the data of hundreds of thousands of US citi
In response to the growing number of data breaches, Proton Mail offers a feature to paid subscribers called Dark Web Monitoring. Our system checks if your credentials or other data have been leaked to illegal marketplaces and alerts you if so. Often
Your email address is your online identity, and you share it whenever you create a new account for an online service. While this offers convenience, it also leaves your identity exposed if hackers manage to breach the services you use. Data breaches
proton pass f-droid
Our mission at Proton is to help usher in an internet that protects your privacy by default, secures your data, and gives you the freedom of choice. Today we’re taking another step in this direction with the launch of our open source password manage