This is coming from a general perspective of wanting more privacy and seeing news of Mozilla creating an email service “which will definitely not train AI on your email”. Sure Mozilla, whatever you say.
Rant aside, here’s my question: is it possible to store all of your email on your own infrastructure (VPS or even NAS at home) and simply using an encrypted relay to send emails out to the public internet? My idea is that this removes the problems of keeping your IP whitelisted from the consumer, but the email provider doesn’t actually hold your emails. This means your emails remain completely in your control, but you don’t have to worry about not being able to send emails to other people as long as your storage backend is alive.
I don’t know much about email to comment on what this would take. I think something similar is already possible with an SMTP relay from most email providers, but the problem is that my email also resides on their servers. I don’t like that. I want my email to live on my servers alone.
Do you think this is possible? Does any company already do this?
Thanks
I feel like most commenters here haven’t understood what you’re proposing.
I’ve thought about doing this, I’ve seen other commenters say they’re doing it. It’s not a terrible idea. I haven’t done it myself because … it’s just not a priority and I’m not sure it ever will be. Anyway …
If you’re willing to set up and self host your own email stack like mail-in-a-box or whatever, then configuring a separate outbound SMTP server is fairly trivial in comparisson.
If you already had your own stack set up to be self hosted you would ordinarily be using the SMTP server there-with to send emails.
Firstly configure your client to use whatever other SMTP server you have access to. I think it’s possible to use mailgun or one of those API transactional senders. You could get a cheap plan with mxroute or any other email host and just use the SMTP server.
Suppose your client is Thunderbird and you set up your account like smtp.mxroute.com for outbound and imap.myserver.com for email storage. When you send an email tbird transmits it through mxroute and then stores it on your imap server at myserver.com in your sent folder.
The potentially complex part is configuring spf & DKIM records on your domain.
SPF
I’m not sure if I’ll be able to explain this clearly but… suppose a recipient’s spam service receives an email purportedly from [email protected] but transmitted by smtp.mxroute.com. That spam service will look up the DNS records for myserver.com and inspect the records for the spf record. This record pretty much lists which servers are authorised to transmit email from addresses ending in myserver.com. So with a more typical set up an spf record might be:
“v=spf1 include:myserver.com -all”
This would indicate that only the smtp server at myserver.com can transmit email from your domain.
You would edit that to include the mxroute smtp server like this:
“v=spf1 include:mxroute.com include:myserver.com -all”
This way, recipients can confirm that the owner of myserver.com domain has formally designated mxroute as an authorised recipient.
DKIM
Your SMTP server will have a public & private key pair which it uses to sign outbound messages. Recipients can use the public key to confirm the signature and thereby confirm that the message has not been altered in flight.
Whatever SMTP server you use will tell you the public key and instruct you to add that to the DNS records of your custom domain.
That’s the one that looks like this:
“v=DKIM1; k=rsa; p=MIIBIj [ … it’s a long key … ] op3Nbzgv35kzrPQme+uhtVcJP”
Once this is in place recipients of your emails can query the DNS for myserver.com and find this public key, and use it to confirm that the signature on the email they received is authentic.
Amazing comment. Saved. Thank you so much.
Indeed, I have thought about hosting my own email, but the problem of dealing with IP blacklists made it seem not worth it.
Thank you so much for the explanation on DKIM and SPF. It makes sense to me now, indeed I didn’t really have a clue about either of these before I read your comment. Thank you for breaking it down.
Only thing I can comment on is that 99% of all E-Mails you will get are unencrypted and can be read by your relay. (There are few e2e encrypted emails being send.)
So either trust them or don’t use a relay.
Not true that most incoming email will plaintext. It’s the opposite:
“Most of today’s email services, including Gmail, employ transport layer security (TLS) to protect emails in transit”
Ref: https://umatechnology.org/gmails-new-encryption-can-make-email-safer-heres-why-you-should-use-it/
Sorry are not emails like https protected in transit in 2025? I mean equivalent http to https but in email transport. How is this still a thing? Why nobody is concerned. Is this not a problem?
Communication between the email servers is normally encrypted with TLS. The email files themselves are rarely encrypted. Most providers that do encryption of email are using local server managed encryption, so the email providers would still be able to access it.
For proper end to end protection you would want to setup PGP between you and your recipients, and encrypt the email before its sent.
But like in 2025 there is still no mechanism to do true end to end without manually setting up pgp? Meaning when i browse using https i do not need to think or anything. It happens automagically. But with emails, where do i even start with pgp when i use gmail via email client like thunderbird
Https give you encryption in transit. The files you view will be accesible to the host.
Same idea with email.
Yeah, in 2025 doing encrypted email is a painful process. Every option is a hack on top of a 43 year old protocol.
Here is a howto from Mozilla on pgp with Thunderbird. It isn’t a pleasant process.
https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq
This 100%. It is well-advised to consider what your security/privacy objectives are, since encryption-at-rest is different than guarding against eavesdropping when sending outbound mail. What threat model you use will define what is or isn’t acceptable.
Yes it exists, but these services are aimed at companies.
I previously looked into doing exactly this, and recall this comment on HN: https://news.ycombinator.com/item?id=31245923
One could argue the price of smtp2go at $150/yr is a bit steep, but it would also neatly avoid issues with sending outbound mail, since you’re paying them to deal with those headaches. For inbound mail, I can’t see why any mail operator wouldn’t deliver to the server designated by your MX records, though you’ll also have to deal with spam and other concerns vis-a-vis self hosting.
On the same thread but different comment, VPS operators might already run an SMTP server that you can relay through.
I wish you good luck in this endeavor!