Run a private mail server on a no-KYC VPS

Email is a long-lived, port-25-listening service that other servers connect to. That rules out anything behind NAT, anything with a shared or blacklisted IP, and anything where you can't set reverse DNS. You need a real VPS with a static, clean, dedicated IPv4 and full control of DNS. That is precisely what a NoKycVPS instance is.

Spec the box correctly

A mail stack is not CPU-hungry, but it is memory- and IO-sensitive once you add spam filtering and indexing. Rspamd and Dovecot's full-text search eat RAM; the maildir spool wants fast NVMe.

• S1 (2 vCPU / 4 GB / 80 GB), from $5/mo — fine for a single-user vanity domain with Rspamd trimmed down. Tight once mail volume grows.
• S2 Pro (4 vCPU / 16 GB / 320 GB), from $15/mo — the recommended baseline. Room for Postfix + Dovecot + Rspamd + Redis + a small ClamAV, plus headroom for a few hundred mailboxes and IMAP search indexes. This is what we recommend for almost everyone.
• S3 Power (8 vCPU / 32 GB / 640 GB), from $30/mo — for high-volume or multi-tenant mail where you're running ClamAV, large FTS indexes, and heavy filtering.

All plans include AMD EPYC cores, DDR5, NVMe Gen5, and a /64 IPv6. If you'd rather not share a hypervisor at all, the same stack runs on a dedicated R1 box (Ryzen 9 7950X, 64 GB ECC) for hard isolation. Spin up an S2 and you're typically online in about 47 seconds.

This is where most self-hosted mail attempts die. Sending mail is easy; getting it accepted is the whole game. Receiving servers (Gmail, Outlook, corporate gateways) judge you on a handful of hard signals. Get these wrong and your mail silently lands in spam.

1. A clean, dedicated IP — non-negotiable

If your IP was used by a spammer last month, you inherit their reputation and there's nothing you can configure to fix it. NoKycVPS allocates clean IP space, not recycled abuse blocks. Before you build, sanity-check your IP against the major DNSBLs (Spamhaus ZEN, Barracuda, SpamCop). If it's listed on arrival, open a ticket in the panel and we'll rotate it.

2. rDNS / PTR — the requirement most hosts won't meet

The PTR record maps your IP back to your hostname (e.g. 198.51.100.10 → mail.yourdomain.com) and it must match your HELO/EHLO name with a matching forward A record (FCrDNS). Gmail and Outlook reject or junk mail from IPs with no PTR or a generic provider PTR. You cannot set this yourself — the IP owner has to. We set rDNS for you on request from the panel. This single capability is the reason to host mail here instead of with a budget VPS that ignores PTR tickets.

3. SPF, DKIM, DMARC — the DNS triad

These are TXT/DNS records in your domain's zone:

; SPF — authorize this server to send for the domain
yourdomain.com.   TXT  "v=spf1 mx a:mail.yourdomain.com -all"

; DKIM — public key; private key signs outbound mail (set up by opendkim/rspamd)
default._domainkey.yourdomain.com.  TXT  "v=DKIM1; k=rsa; p=MIIBIjANBgkq..."

; DMARC — start at p=none to monitor, tighten to quarantine/reject later
_dmarc.yourdomain.com.  TXT  "v=DMARC1; p=none; rua=mailto:[email protected]; adkim=s; aspf=s"

Use a -all (hard fail) SPF once you're confident only this server sends. Sign every outbound message with DKIM. Start DMARC at p=none to read the aggregate reports, then move to p=quarantine and finally p=reject.

4. Warmup — the part you can't shortcut

A brand-new IP and domain have no sending history. Don't blast a mailing list on day one. Send low volume to engaged recipients for the first 1–2 weeks, ramping gradually. Sign up for Google Postmaster Tools and Microsoft SNDS to watch your reputation. Plan for roughly a week before deliverability is solid. Register your domain right here too — we sell 26 TLDs, also crypto-only and no-KYC, so your zone and your server share one anonymous account.

The canonical Linux mail stack is Postfix (SMTP — send and receive) plus Dovecot (IMAP/POP3 — your client reads mail), with Rspamd for spam filtering and DKIM signing. Here's the shape of it on Debian 13 (one of our stock images).

Open the right ports

Inbound: 25 (SMTP from other servers), 465 (SMTPS submission), 587 (submission STARTTLS), 993 (IMAPS), 995 (POP3S). Port 25 outbound is open on NoKycVPS by default — confirm before you build.

apt update && apt install -y postfix dovecot-imapd dovecot-pop3d rspamd redis-server
# TLS: get a real cert (Let's Encrypt)
apt install -y certbot
certbot certonly --standalone -d mail.yourdomain.com

Wire up DKIM signing with Rspamd

# /etc/rspamd/local.d/dkim_signing.conf
domain {
  yourdomain.com {
    path = "/var/lib/rspamd/dkim/yourdomain.key";
    selector = "default";
  }
}
# generate the keypair, publish the .txt as your DKIM DNS record
rspamadm dkim_keygen -s default -b 2048 -d yourdomain.com \
  -k /var/lib/rspamd/dkim/yourdomain.key

Lock TLS down

Force TLS for submission and require it for IMAP. In Postfix, set smtpd_tls_security_level = may for inbound (opportunistic — you still want to receive from older servers) but smtp_tls_security_level = dane or may for outbound. Publish a MTA-STS policy and a TLSA (DANE) record so senders know to encrypt to you.

Disk encryption at the OS layer

Mail at rest is plaintext on disk by default. For a privacy mail server, deploy onto a LUKS-encrypted volume or at minimum encrypt the maildir spool. Combined with our AES-256 encryption of the VPS root password at rest, this keeps the mailbox unreadable without your keys. See the full-disk-encryption guide for the unlock-over-SSH pattern.

If hand-rolling all of this is more than you want, deploy an integrated bundle (Mailcow, Mailu, or Mail-in-a-Box) on the same S2 — same DNS and rDNS rules apply.

Self-hosting means you choose the legal soil your mail sits on. With NoKycVPS that's a deliberate decision across four regions, same hardware in each.

• Reykjavik, Iceland (REK) — no mandatory data-retention law, the IMMI press-freedom framework, and renewable geothermal power. The default pick for journalists and source protection.
• Zurich, Switzerland (ZRH) — strong constitutional privacy under the FADP, outside the 14-Eyes intelligence-sharing arrangement, and Article 271 of the penal code restricts assisting foreign authorities on Swiss soil. Best legal moat, slightly higher price.
• Bucharest, Romania (OTP) — EU member with excellent connectivity, historically resistant to overbroad takedown pressure, lowest cost.
• Paris, France (PAR) — EU, GDPR, robust peering and the cheapest region; good for latency to European recipients.

Two things matter beyond the flag. First, the operating entity is in Saint Kitts and Nevis: we act only on a binding judicial order from a court with jurisdiction there, served properly, and we notify you first. There's no proactive content monitoring of your mail. Second, we publish a monthly warrant canary at /canary — if it stops updating, you know to act. The one hard line is CSAM; legitimate private email is exactly what this infrastructure is for. Read the deeper rationale on the offshore hosting overview and the Iceland jurisdiction page.

We'd rather you succeed than churn, so here's the unvarnished version. A self-hosted mail server is the highest-maintenance service most people will ever run. The work doesn't end at setup:

• Ongoing reputation management. One compromised account sending spam, or one misconfigured forwarder, and you're on a blacklist. You'll periodically check DNSBLs and delist.
• Security patching. A public SMTP server is constantly probed. Keep Postfix/Dovecot patched, fail2ban running, and submission auth rate-limited.
• Backups. Email is irreplaceable. Snapshot the maildir and the DKIM keys off-box, encrypted.
• Deliverability drift. Gmail and Outlook change their rules. What landed in the inbox last year may junk this year; you adapt.

You should self-host if you value control and privacy over convenience, you're comfortable on a Linux command line, and you'll commit to maintenance. You probably shouldn't if you need guaranteed inbox delivery for a business-critical mailing list on day one, or you can't dedicate a few hours a month. A reasonable middle path: self-host for receiving and personal sending, and relay bulk/transactional mail through a paid relay if needed.

If you're in, the move is simple: order an S2 in Reykjavik or Zurich, pay in Monero (XMR) (credits your balance in about 30 seconds), request rDNS from the panel, and build. For the broader privacy-hosting picture see our Tor relay use-case and the no-KYC VPS setup guide.