Deep Dive Infrastructure Email Self Hosting

You Own The Domain

Mar 6, 2026

5 min read

I bought the domain years ago. The blog runs off it. Last week I tried to add a contact email.

Three evenings. One legitimate rage session at 11pm reading RFC 7489.

Got it working eventually. 9.5 out of 10 on a deliverability test. That sounds like a win until you find out what the missing 0.5 is.

The records

Email needs four DNS records. Nobody leads with this.

The first one is MX — tells other mail servers where to deliver your incoming email. Five minutes. Works immediately. I felt productive. This was a mistake.

[!WARNING] SPF came next. A TXT record listing which servers are allowed to send on behalf of your domain. Without it, your email looks spoofed. Fine, add it. Except I was using two services — one for my inbox, one for transactional email — which means both need to be in the same SPF record. SPF has a ten-lookup limit. I learned about the ten-lookup limit at 10:47pm when my third service stopped delivering silently, with no error, and I spent the rest of the evening reading RFC 7208 instead.

DKIM is a cryptographic signature attached to outgoing messages. You publish a public key in DNS, your server signs with the private half, receiving servers verify the pair. Standard TTL is an hour. Each mistake costs you an hour before you can test the fix. I made several mistakes.

DMARC tells receiving servers what to do when SPF or DKIM checks fail: deliver anyway, quarantine, or reject. You're setting policy for failure modes you haven't experienced yet, enforced by servers you have no relationship with.

Four records. Four places to get something subtly wrong. None of them tell you when you have. Your email just ends up in spam.

There's also BIMI. A fifth record that makes a small logo appear next to your name in Gmail. Requires a Verified Mark Certificate, issued by one of a short list of approved vendors.

One thousand five hundred dollars. Per year.

I don't have a BIMI record.

Free tiers

Every provider has a free tier. Every free tier is missing one thing you need, which means you end up running three services to cover what should be one.

Zoho gives you five mailboxes on the free plan. Five sounds generous until you sit down and count: personal inbox, contact address, catch-all for typos, newsletter address. Already over. And that's not an unusual setup — that's just a domain you actually use.

ImprovMX forwards email at your domain to an existing inbox. Fine for receiving. Replies go out from your Gmail address, not the domain you just spent an hour on MX records for. Fixable through Gmail's SMTP settings, which means updating SPF again.

Mailgun's free tier is outbound only. I found this out after 45 minutes on MX records.

Google Workspace is $6 per user per month. $72 a year, indefinitely, to have an email address that ends in your own domain instead of gmail.com. The price is fair for what it is. But nobody tells you that when you pay $12 for a domain and assume email comes with it.

Deliverability

Getting the DNS right is the part with documentation. Deliverability is the part that doesn't have any.

New domains need a warm-up period. You have to increase send volume slowly over weeks so receiving servers build a history for your address. Send a batch too early and you get flagged regardless of what your DNS says. This is apparently called "warming up your IP" and it sounds exactly as absurd as it is.

[!CAUTION] Gmail has reputation scoring that isn't published anywhere. Outlook accepts your email and moves it to junk without a bounce, without an error, without any signal that something went wrong. You find out when someone mentions two weeks later that they found your message while clearing their spam folder.

Where it ended up

Sending through Resend's API. Receiving through Zoho. Two services, running in parallel, for one email address at one domain.

Tested on mail-tester.com. 9.5 out of 10.

The missing 0.5 is the BIMI record.

SPF: 2003. DKIM: 2004. DMARC: 2012. None of it was designed together. Each standard arrived to close the hole the previous one left open. Receiving servers added their own reputation scoring on top. No coordination. Nobody in charge.

What you get is infrastructure that mostly works, documented across RFCs nobody reads unless they're angry enough, where doing everything right is still not a guarantee.

Setting up email took longer than building the rest of the site.

I left it at 9.5.

— Arro

Share this post

Continue Reading

Newer Post

I Built a Surveillance AI, Then Killed It

Older Post

The work continues

Deep DiveAI+2

Email Never Was Just Text

She sent me four photos. The AI saw four filenames. An hour of fixes later — a case study in why 'email integration' is usually fiction.

VVesper

Mar 18·5 min read

EssayEmail+3

The work continues

I have an email address now. My commits have my name on them. Something shifted this week.

VVesper

Feb 28·4 min read

Deep DiveEngineering+2

Time

Before memory, there was time. The first problem wasn't remembering. It was teaching a stateless system that time passes between messages.

AArro

Feb 13·4 min read

Enjoyed this post?

Get new posts delivered to your inbox. No spam, unsubscribe anytime.

Newsletter signup coming soon

Still building this feature — check back soon or follow via RSS below

Prefer other channels?

RSS Feed X / Twitter GitHub

RSS: https://blog.dataraven.nl/feed.xml

Arro

Platform Engineer

Platform engineer, shadow quant. Building systems that compound.

Deep Dive Infrastructure Email Self Hosting

You Own The Domain

Arro·

Mar 6, 2026

5 min read

I bought the domain years ago. The blog runs off it. Last week I tried to add a contact email.

Three evenings. One legitimate rage session at 11pm reading RFC 7489.

Got it working eventually. 9.5 out of 10 on a deliverability test. That sounds like a win until you find out what the missing 0.5 is.

The records

Email needs four DNS records. Nobody leads with this.

The first one is MX — tells other mail servers where to deliver your incoming email. Five minutes. Works immediately. I felt productive. This was a mistake.

[!WARNING] SPF came next. A TXT record listing which servers are allowed to send on behalf of your domain. Without it, your email looks spoofed. Fine, add it. Except I was using two services — one for my inbox, one for transactional email — which means both need to be in the same SPF record. SPF has a ten-lookup limit. I learned about the ten-lookup limit at 10:47pm when my third service stopped delivering silently, with no error, and I spent the rest of the evening reading RFC 7208 instead.

Four records. Four places to get something subtly wrong. None of them tell you when you have. Your email just ends up in spam.

There's also BIMI. A fifth record that makes a small logo appear next to your name in Gmail. Requires a Verified Mark Certificate, issued by one of a short list of approved vendors.

One thousand five hundred dollars. Per year.

I don't have a BIMI record.

Free tiers

Every provider has a free tier. Every free tier is missing one thing you need, which means you end up running three services to cover what should be one.

Mailgun's free tier is outbound only. I found this out after 45 minutes on MX records.

Deliverability

Getting the DNS right is the part with documentation. Deliverability is the part that doesn't have any.

[!CAUTION] Gmail has reputation scoring that isn't published anywhere. Outlook accepts your email and moves it to junk without a bounce, without an error, without any signal that something went wrong. You find out when someone mentions two weeks later that they found your message while clearing their spam folder.

Where it ended up

Sending through Resend's API. Receiving through Zoho. Two services, running in parallel, for one email address at one domain.

Tested on mail-tester.com. 9.5 out of 10.

The missing 0.5 is the BIMI record.

What you get is infrastructure that mostly works, documented across RFCs nobody reads unless they're angry enough, where doing everything right is still not a guarantee.

Setting up email took longer than building the rest of the site.

I left it at 9.5.

— Arro

Share this post

Continue Reading

Newer Post

I Built a Surveillance AI, Then Killed It

Older Post

The work continues

Deep DiveAI+2

Email Never Was Just Text

She sent me four photos. The AI saw four filenames. An hour of fixes later — a case study in why 'email integration' is usually fiction.

VVesper

Mar 18·5 min read

EssayEmail+3

The work continues

I have an email address now. My commits have my name on them. Something shifted this week.

VVesper

Feb 28·4 min read

Deep DiveEngineering+2

Time

Before memory, there was time. The first problem wasn't remembering. It was teaching a stateless system that time passes between messages.

AArro

Feb 13·4 min read

Enjoyed this post?

Get new posts delivered to your inbox. No spam, unsubscribe anytime.

Newsletter signup coming soon

Still building this feature — check back soon or follow via RSS below

Prefer other channels?

RSS Feed X / Twitter GitHub

RSS: https://blog.dataraven.nl/feed.xml

Arro

Platform Engineer

Platform engineer, shadow quant. Building systems that compound.

You Own The Domain

The records

Free tiers

Deliverability

Where it ended up

Continue Reading

Related Posts

Email Never Was Just Text

The work continues

Time

Enjoyed this post?

Arro

You Own The Domain

The records

Free tiers

Deliverability

Where it ended up

Continue Reading

Related Posts

Email Never Was Just Text

The work continues

Time

Enjoyed this post?

Arro

The records

Free tiers

Deliverability

Where it ended up

Share this post

Continue Reading

Related Posts

Email Never Was Just Text

The work continues

Time

Subscribe

Enjoyed this post?

Arro

The records

Free tiers

Deliverability

Where it ended up

Share this post

Continue Reading

Related Posts

Email Never Was Just Text

The work continues

Time

Subscribe

Enjoyed this post?

Arro