Guide

Self-Hosted Email: SPF, DKIM, DMARC, and PTR Setup

Running your own mail server is harder than it used to be. ISPs block port 25, major providers require PTR records, and DMARC is now mandatory for reliable delivery. This guide covers everything self-hosters need to configure.

Updated March 19, 2026

Self-hosting mail in 2026 means fighting port blocks, IP reputation, and mandatory authentication. This guide covers provider choice, PTR, SPF, DKIM, DMARC, warm-up, and monitoring. See PTR, rDNS, and deliverability.

Why self-hosted email is hard in 2026

Residential and many cloud IPs block outbound 25. Large receivers require aligned SPF/DKIM/DMARC and often sane PTR. New IPs have no reputation — warm-up is mandatory. Expect to spend engineering time on TLS, queues, and blocklists.

Choosing a hosting provider

You need outbound SMTP allowed (or smart host), ability to set PTR for your IP, and ideally clean IP space. Common VPS providers allow port 25 with policy; hyperscalers often require unblock tickets. Verify before you build.

PTR record — the first thing to set

Ask your provider for reverse DNS pointing to your mail hostname (e.g. mail.example.com). Create matching A/AAAA records. PTR mismatch → spam or rejection. PTR DNS.

SPF for self-hosted

Include your IP with ip4:/ip6: and any ESP relays. Single SPF record. SPF guide.

DKIM for Postfix/Exim/Dovecot

Generate 2048-bit keys, configure OpenDKIM/rspamd, publish selector TXT. Test with swaks or mail clients. Verify headers show dkim=pass.

DMARC for self-hosted

Publish p=none with rua=, align sending domains, then tighten. Same process as hosted mail — DMARC guide.

IP warm-up

Start with low daily volume, increase gradually, watch bounces and spam folder rates. Takes weeks. Patience beats throttling.

Ongoing monitoring

Check blocklists, DMARC reports, and TLS expiry. Errors: PTR mismatch, blacklisted IP. Use DNS Preflight for DNS-side checks.

Queue monitoring matters: deferred mail that expires hurts reputation. Bounce handling matters: repeated sends to bad addresses flag you as negligent. Self-hosted operators wear SPF, DKIM, DMARC, and deliverability engineering hats — budget time accordingly.

Cross-reference SPF, DKIM, and DMARC guides when upgrading stack components; one Postfix update can change signing defaults.

Tool: Check PTR, SPF, DKIM, DMARC, and related DNS for your sending IP and domain.

Run DNS Preflight →

Step by step

Step 1 Without port 25 or relay, you are blocked before DNS matters.

Step 2 PTR mismatch is an instant spam signal.

Step 3 Include smart hosts if you relay outbound.

Step 4 2048-bit keys and documented selectors reduce surprises.

Step 5 Same DMARC story as hosted mail — start monitoring.

Step 6 Increase volume only when bounces and complaints stay low.

FAQ

What do I need for self-hosted email to reach inboxes?

PTR record, SPF, DKIM, DMARC, and a clean sending IP. Miss any one and email lands in spam or gets rejected.

Which VPS providers allow port 25 for mail servers?

Hetzner, DigitalOcean, Vultr, and Linode generally allow port 25. AWS and Google Cloud block it by default — requires a request to unblock.

How do I set up a PTR record for my mail server?

In your hosting provider's control panel under Reverse DNS. Set it to your mail hostname and add a matching A record.

How do I warm up a new IP?

Start with 50-100 emails/day. Double every few days if bounce rates stay low. Takes 2-4 weeks to build reputation.

How do I monitor my self-hosted mail server's reputation?

Run DNS Preflight with your server's IP — checks PTR, blocklists, SPF, DKIM, and DMARC in one pass.

← All learning guides

Open DomainPreflight →