Self-hosted e-mail: time to say goodbye

Christmas is a time for family, and this year, I had a houseful. Among them were the two family members for whom I host e-mail, and them setting up their brand new laptops provided a good opportunity to deal with something which had been on my mind for a while.

Let’s go back a few steps: in 2009, the year I graduated, it was possible to take commodity virtual machine hosting and open source software, and build yourself an e-mail system which was on a par with, if not superior to, those you could get from the free webmail providers of the time. GMail was pretty good, but you could do better on storage space, filtering and clever integrations.

And, of course, you could have a domain name of your very own.

I built a system for me and a few family members, and it has endured ever since.

The world of 2025 - soon to be 2026 - is however very different. Various niggles with my self-hosted system had seen a worrying rise in my “customers” having problems, in particular with their messages not getting through to other people. No amount of insisting that it’s (insert name of big provider here)’s fault makes up for the disruption; in the words of the chancellor, we have to see the world as it is, not as we want it to be.

Meanwhile, the lack of 2FA (see earlier post) really isn’t good enough and I’m getting too old and too busy to maintain this stuff. I don’t know why a stable ecosystem of software insists on rewriting its configuration file formats every few years, but I do know my last Debian upgrade was a pain in the proverbials and resulted in a much longer outage than I wanted.

It might surprise you to learn that I have moved the whole shooting match to FastMail. And to address the orange haired elephant in the room, yes it’s a shame that my e-mail now lives on servers in the USA rather than the UK. But without sorting out my features, the users would have jumped ship to GMail anyway. What’s the bigger threat - the US government taking an interest in my mother’s e-mail, or her getting phished because my self hosted setup doesn’t do 2FA?

Testing

I had a largely spare domain name lying around which was ideal for pairing with the 30 day free trial of FastMail to give things a thorough shakedown.

If you don’t have such a domain, I would heartily recommend getting one - for a few pounds/dollars, well worth it to have a cleanly separated trial run with all the features before moving your real domains across.

The trial was easy to get started because FastMail can take complete control of the DNS for your domain - no problem if you’re not doing anything else with it! - and thus you don’t need to faff with individual records. The need to have working SPF, DKIM, DMARC etc. mean that there are a few of these besides your standard MX.

That said, they’ve done it as cleverly as they can for the case where you want/need to keep the DNS somewhere else.

Cost

I’d say FastMail’s pricing gives it the edge over Google Apps etc. if you are primarily in the market for e-mail for a small family.

Domain names are not rationed, and six users is plenty for my use-cases.

Features, generally

Starting with security, 2FA via OAuth2 (which works in Thunderbird!) is all there, and device specific passwords are supported for older apps. There is passkey/security key support, which is pleasing.

I was less pleased that I have to provide a recovery phone number - I’d rather avoid that potential weak spot - but of course it’s cheap and easy to maintain a secondary number specifically for such use which is not the number you make or take phone calls on.

The webmail is complete and pretty nice; the Android app does everything I or my users need, and can do everything the web app does, which is nice.

Search is a particular highlight as it Just Works and was one of the biggest beefs I and others had with my old setup.

The filtering interface is good, but being able to drop down and write in Sieve if you really know what you’re doing (or are migrating from a self hosted setup where you had exactly that!) is excellent.

Sending e-mail to a GMail account confirmed the full battery of SPF/DKIM/DMARC tests pass on outgoing e-mail.

The lack of IPv6 is a bit surprising; I’d at least like to see it on the web and IMAP servers, but it’s not a real world problem quite yet.

Sub-addresses

My self-hosted setup supported “sub-addresses” with a hyphen, so e.g. [email protected] would rewrite to [email protected], allowing me to give a unique e-mail address to every website and use this for filtering, and disable e-mail addresses which got leaked etc.

I was nervous to read that FastMail only supports this with the + sign, like GMail do, rather than hyphen. However, with my small number of users, the workaround involving a catch-all alias and some Sieve expressions for each user needing this is perfectly doable and works just fine. It’s a big confidence boost that the system is flexible enough to allow a power user to build this sort of thing for themselves even if it’s not natively supported.

The migration

FastMail has a complete and grown-up process for migrating off your old IMAP server, and the “tunnel” addresses allowed a one-user-at-a-time switch with no loss of email.

Obviously I tested on myself first and then moved the others one at a time, reconfiguring all their devices as I did so.

It’s early days yet but so far, so good and a lot more secure as we enter 2026.