Email is getting harder to self-host. Or is it?

By on 10 Apr 2024

Category: Tech matters

Tags: , ,


Blog home

A post recently featured on Hacker News (HN) discusses the modern dilemma of implementing anti-spam control features in self-hosted email. It refers to XOMedia’s article titled ‘A Deep Dive into Email Deliverability in 2024‘, which explores the application of three email-securing features: SPF, DKIM and DMARC.

This post is particularly relevant now as Google, Yahoo, and Outlook (Microsoft) have recently disclosed their plans to enforce stricter compliance standards on self-hosted email implementers starting in the second quarter of this year. Implementing these measures likely has already begun, indicating a tightening of regulations in this domain.

The discussion at HN got a bit fractious because there is a fundamental point that creating the three distinct DNS values required to denote compliance to SPF, DKIM, and DMARC isn’t actually that hard, nor is applying the sender-side behaviours that implement them — free software solutions can be found for every bit of this, including email-in-a-box solutions, with support.

The issue may actually be that associated behaviour from other ‘tenants’ of the IP address ranges routed to host the services can cause blacklisting. It may never be obvious why the mail is being rejected, and there’s a lack of clear procedures for appealing such decisions or obtaining clearance from major mail providers. Compliance isn’t just a matter of following rules, as there are no straightforward methods to demonstrate alignment or prevent inadvertent association with other users within the same routing blocks.

Some see this as a manifestation of the march of ‘centralization’ because by far the simplest and quickest path out is to use commercial intermediaries who have achieved sufficient status with the major email providers to provide a safe harbour — virtualize inside a specialist, and you probably won’t be affected.

Others perceive it as a lack of competency in running systems evident in the wild. If these barriers cannot be overcome, it’s interpreted as a signal of lacking the skills required for the modern Internet.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.


  1. superkuh

    So you agree that even if a mailserver perfectly implements spf, dkim, and dmarc it will still get blocked (or silently shunted to ‘spam’ while still being accepted) by the rich megacorp walled gardens just because we as human persons rather than corporate persons cannot afford our own ASN and class c.

    It is definitely getting harder to run your own mailserver and get delivered to the megacorp walled gardens. But most mailservers are fine. The problem is not intrinsic to the many mailservers that work, it is a problem with the megacorp mailservers which *do not comply* with accepted standards because they don’t want people using anything but them.

  2. Russ Watson

    Yes have been blocked by having a fixed IP which is on a /19 of Spark NZ. A great deal of effort was necessary looking and finding not on any blocklist but uceprotectL3. And Spark did not want to know blaming us. Further digging found our IP clean but the /19 blocked. This has caused financial and reputation loss for our business. Surely blocking offending individual IPs is enough.


Leave a Reply

Your email address will not be published. Required fields are marked *