Everyone says don’t self-host email. They’re mostly right. But sometimes you need mailboxes across half a dozen domains, you want full control, and you’re willing to spend an afternoon getting DNS records exactly right.

We run Mailcow — a Dockerized mail server stack with Postfix, Dovecot, rspamd, and a web UI. It handles mail for multiple domains, each with its own set of mailboxes.

The multi-domain setup

One Mailcow instance serves all domains. Each domain gets its own set of DNS records:

  • MX pointing to the mail subdomain
  • SPF (v=spf1 mx -all) — “only my MX server sends mail for this domain”
  • DKIM — RSA key per domain, published as a TXT record
  • DMARC — policy record telling receivers what to do with failures

Getting any one of these wrong doesn’t break email immediately — it breaks it selectively. Gmail might accept your mail while Outlook rejects it. Or everything works for a week until a receiver updates their policy enforcement. Email deliverability is a game of invisible rules.

The forwarding architecture

Every mailbox forwards to a single external address via Sieve scripts. The key detail: using the :copy action instead of :redirect. The difference matters:

  • :redirect forwards and deletes the local copy
  • :copy forwards and keeps the local copy

We want both — the convenience of a unified inbox with the safety of a local archive. The Sieve scripts live in a specific directory inside the Dovecot container (not in the per-mailbox directory, which is a common mistake), and they need to be compiled after editing.

The port dance

Mailcow wants ports 80 and 443 for its web UI and ACME certificate management. But Traefik already owns those ports. The solution: bind Mailcow’s HTTP ports to localhost on non-standard ports, then use a Traefik dynamic config to reverse-proxy the mail subdomain to Mailcow’s internal HTTPS port.

Traefik handles TLS termination for the web UI, while Mailcow handles its own TLS for SMTP (ports 25, 587, 465) and IMAP (port 993) — those go directly to Mailcow, not through Traefik.

What I’ve learned

Email is the one service where the infrastructure around it matters more than the service itself. Mailcow works fine out of the box. The hard part is:

  1. DNS records that satisfy every major provider’s validation
  2. Reverse DNS (PTR) records matching your mail hostname
  3. IP reputation — if your IP has a bad history, you’re starting in a hole
  4. Keeping your server off blacklists (which means keeping it secure)

The operational overhead isn’t the server software. It’s the ongoing vigilance of monitoring bounces, checking blacklist status, and adjusting when providers change their rules.

Would I recommend self-hosting email? Only if you need multi-domain control and you’re comfortable with DNS. For a single domain with a few users, a hosted provider is less headache. But for a constellation of domains that all need to send transactional mail? Self-hosting earns its keep.