I’ve setup my email via a VPN to my own server.

• DNS, mail, business web, cusromer web on VPSes (2, 1 primary, 1 secondary DNS only)
• Personal email, incoming and outgoing via VPS, personal websites (all static) on local system (RPi 4 8GB)

This gives the advantage that your outgoing email always comes from the VPS ip address (pick a VPS provider that is trusted) and when your line is down, incoming email is cached on your VPS. It’s a tad of double work, but pretty secure. Even connecting to my employer to work from home is not a big issue. (and that connection is limited to it’s own vlan)

Also, with this method, you can route the mail into your network via port 26 when 25 is blocked or even set an outgoing vpn to your VPS and route the email that way. You’ll be provider independent at home. (I even have a private ipv6 /48 via a tunnel broker)

You’ll need to work a lot on your knowledge though, without DNSSEC, SPF, DKIM and DMARC the big 2 (Google and hotmail) will refuse your email.

You can selfhost the email server wherever you want. But you’ve to use some external system to deliver the email or you’ll end up in spam because your residential IP is most likely dynamic and already flagged by most email providers.

One way to do it is to get a VPS somewhere and setup Wireguard on it. Then configure your local system to bind to the Wireguard interface and IP so all email send and received using the tunnel. Dovecot doesn’t care what interface it is running on, Postfix has specific options that you can change in master.cf to accommodate the fact that it will be binding to the VPN IP and the real IP is the VPS public IP.

1. Setup a install of Dovecot / Postfix / Rspamd on your local server: https://workaround.org/ispmail-bookworm/
2. Start by setting up a Wireguard tunnel between your local server and the VPS: https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-20-04
3. Create a outgoing transport for the email that uses the WG tunnel and is aware of the VPS public IP:

out-wg      unix  -       -       n       -       -       smtp
 -o proxy_interfaces=188.xxx.xxx.xxx # the real public IP of the VPS
 -o smtp_bind_address=10.0.0.2 # the IP that your local server has on the WG interface
 -o inet_interfaces=10.0.0.2 # same as above
 -o myhostname=server.example.org # should match the PTR / reverse DNS entry on the VPS IP
 -o smtp_helo_name=server.example.org # should match the PTR / reverse DNS entry on the VPS IP
 -o syslog_name=smtp-wg

4. Set your VPS firewall to NAT/forward incoming traffic on port 25, 587, 465 and 993 to the local server (wireguard client 10.0.0.2);
5. Change main.cf to use the transport by adding: default_transport = out-wg.

That’s everything you need to get it going. Use https://www.mail-tester.com/ to debug if DKIM and everything else is properly setup at the end.

I think mail forwarders are still a good way to go. It’s hard to predict how Internet providers will react to email running in their networks.

These days I have an ec2 at AWS for my mail server and use SES for outbound mail. I’m thinking of moving “receiving” back into my network with a simple chat forwarding service but keep SES for outbound. They handle all the SPF and DKIM things and ensure their networks aren’t on blacklists.