Self-Host Email: Mail-in-a-Box vs Stalwart vs Mox 2026

Q: When NOT to Self-Host Email?

Self-hosting email makes sense for privacy, control, and cost savings at scale. It does not make sense if: Your organization depends on zero-downtime email — you are the SLA. Provider-hosted email has 99.9%+ uptime; your VPS will have incidents. You're sending bulk or transactional email — self-hosted IPs get blacklisted for volume. Use a dedicated sending service. Your team is non-technical — maintaining a mail server is a developer/sysadmin task. A single misconfiguration can lose email perman

Self-hosting email is the final frontier of infrastructure ownership — and for good reason. Email is harder than a web app. IP reputation, deliverability configuration, and the maintenance reality of keeping a Postfix server healthy are real challenges that most self-hosting guides understate.

This guide is honest about those challenges. It also covers the three best modern options for actually doing it: Mail-in-a-Box (beginner-friendly, automated everything), Stalwart (Rust-powered, enterprise-grade, extremely configurable), and Mox (Go single binary, SIDN-rated best for security standards). We also cover when you should just pay for email and move on.

TL;DR

Mail-in-a-Box if you want everything automated with a single setup script and you're on Ubuntu 22.04. Mox if you want a modern single-binary server with excellent security defaults and a built-in quickstart wizard. Stalwart if you need JMAP, multi-tenancy, cluster support, or the most configurable email server in the open-source ecosystem. None of these if your primary concern is bulk email delivery — self-hosted servers are for receiving and personal/transactional sending.

Key Takeaways

Mail-in-a-Box: 15,200 GitHub stars, v74 (Jan 2026), Apache 2.0 — the easiest complete setup (one script, automatic DNS/DKIM/DMARC/TLS)
Stalwart: 11,900 GitHub stars, v0.15.5 (Feb 2026), AGPL-3.0/Enterprise — Rust, JMAP+IMAP+CalDAV+CardDAV, ~50MB idle, no built-in webmail
Mox: 5,600 GitHub stars, v0.0.15 (Apr 2025), MIT — Go single binary, built-in webmail, mox quickstart generates all DNS records
IP reputation is the hardest part — VPS IPs start with zero reputation; Gmail/Outlook throttle new senders aggressively
Deliverability configuration: all three auto-configure SPF, DKIM, and DMARC — this is genuinely handled better than DIY Postfix
Cost: ~$5–10/month VPS vs $6/user/month for Google Workspace or $5/user/month for Fastmail

Feature Comparison

Feature	Mail-in-a-Box	Stalwart	Mox
Language	Shell/Python	Rust	Go
Version	v74 (Jan 2026)	v0.15.5 (Feb 2026)	v0.0.15 (Apr 2025)
License	Apache 2.0	AGPL-3.0 + Enterprise	MIT
GitHub stars	15,200	11,900	5,600
SMTP	Postfix	Native (Rust)	Native (Go)
IMAP	Dovecot	Native (Rust)	Native (Go)
JMAP	No	Yes	No
POP3	No	Yes	No
Built-in webmail	Roundcube	No (planned)	Yes (minimal)
Built-in DNS	Yes (NSD4)	No	No
CalDAV/CardDAV	Via Nextcloud	Yes (native)	No
SPF/DKIM/DMARC	Automatic	Automatic	Automatic
DANE/MTA-STS	Yes	Yes	Yes
Min RAM	1 GB practical	1 GB	512 MB
Docker	No (bare metal)	Yes	No (single binary)
Setup complexity	Low	Medium	Low-Medium

Mail-in-a-Box

Mail-in-a-Box is the opinion-having, zero-surprises approach to self-hosted email. It installs the entire Postfix + Dovecot + Roundcube + SpamAssassin + Nextcloud (CalDAV/CardDAV) stack and configures everything automatically.

What "everything automatically" means:

SPF, DKIM (OpenDKIM), DMARC, DNSSEC, DANE, MTA-STS — all configured and verified
Daily health checks confirm DNS records are still correct
Let's Encrypt TLS renewal automated
Fail2ban intrusion protection enabled by default
Backups via Duplicity (local, rsync, or S3)

Setup:

# Fresh Ubuntu 22.04 server
# SSH in as root or sudo user

# Run the installer (you'll be prompted for email address and password)
curl -s https://mailinabox.email/bootstrap.sh | sudo bash

After the script completes (20–40 minutes), the admin panel at https://your-server:10222 shows a checklist of DNS records to create at your domain registrar. Once those propagate, mail flows in and out.

Hard constraints:

Ubuntu 22.04 LTS only — no alternatives, no Docker, no other distros
Intended for a dedicated server — running other services alongside is unsupported and breaks updates
One primary domain per server (multiple domains supported, but secondary)

Best for: Users who want to be up and running in an hour with zero configuration knowledge. Accept the opinionated defaults, follow the DNS checklist, and you have a working mail server. It's the right tool for personal use and small organizations that don't need Stalwart's flexibility.

Stalwart

Stalwart is what happens when you build an email server from scratch in Rust in 2023–2026 without carrying forward 30 years of Postfix/Dovecot legacy. It's a single binary that handles SMTP, IMAP, JMAP, POP3, CalDAV, CardDAV, and WebDAV — a full mail and collaboration server.

Why Rust matters here: Stalwart uses ~50 MB of RAM at idle (Docker: ~122 MiB). Traditional stacks (Postfix + Dovecot + SpamAssassin + Rspamd) routinely consume 1–4 GB just for services. The memory efficiency is real and significant for VPS deployments.

Why JMAP matters: JMAP (JSON Mail Access Protocol) is the modern replacement for IMAP, designed for efficient synchronization on mobile and unreliable connections. While IMAP syncs individual folder changes, JMAP syncs state — it's faster for initial sync, more efficient on bandwidth, and simpler for client developers. Stalwart is the only self-hosted server with full JMAP support alongside IMAP4, making it future-proof.

Docker setup:

# Pull and run the all-in-one Docker image
docker run -d \
  --name stalwart-mail \
  -p 443:443 -p 25:25 -p 587:587 -p 465:465 \
  -p 143:143 -p 993:993 -p 4190:4190 \
  -v /opt/stalwart:/opt/stalwart \
  stalwartlabs/stalwart:latest

The first run outputs an admin password. Access the web admin at https://your-server/. The admin interface is comprehensive — manage domains, users, DKIM keys, spam rules, and server config all through the UI.

Docker Compose for production:

version: "3"

services:
  stalwart:
    image: stalwartlabs/stalwart:latest
    restart: unless-stopped
    ports:
      - "25:25"
      - "465:465"
      - "587:587"
      - "143:143"
      - "993:993"
      - "443:443"
      - "4190:4190"
    volumes:
      - stalwart_data:/opt/stalwart
    environment:
      - TZ=UTC

volumes:
  stalwart_data:

After starting: DNS records must be created manually. Stalwart's web admin generates the correct SPF, DKIM, and DMARC records — copy them into your DNS provider.

Webmail gap: Stalwart has no built-in webmail as of early 2026. Webmail development (using Rust/Dioxus) is on the 2026 roadmap. In the meantime, pair with Roundcube or Snappymail as a separate container.

License note: Stalwart uses AGPL-3.0 for the community edition plus a proprietary enterprise license. Enterprise features (multi-tenancy, advanced dashboards) require a paid subscription priced per mailbox. Core email functionality is fully open-source. Sponsors contributing $5+/month get an enterprise license automatically.

Best for: Advanced users who want the most configurable, scalable, and modern email server. Teams that need JMAP, CalDAV/CardDAV without Nextcloud, multi-tenancy, or clustered high-availability setups.

Mox

Mox is a modern, opinionated mail server written in Go by Mechiel Lukkien. It's a single statically-linked binary with zero external dependencies — download, run, done. The SIDN (Netherlands Internet governance) reviewed four modern mail servers and rated Mox highest for security standard comprehensiveness.

The quickstart workflow:

# Download the Mox binary
wget https://github.com/mjl-/mox/releases/latest/download/mox-linux-amd64
chmod +x mox-linux-amd64

# Run quickstart - generates config and DNS records to add
sudo ./mox-linux-amd64 quickstart you@yourdomain.com

# Start Mox
sudo ./mox-linux-amd64 serve

The mox quickstart command:

Generates a configuration file
Automatically generates DKIM keys
Prints every DNS record you need to add (SPF, DKIM, DMARC, DANE, MTA-STS, CAA, TLSRPT, autoconfig, autodiscover)
Provisions Let's Encrypt TLS certificates on first start

Security standards Mox handles: SPF, DKIM, DMARC, DANE, DNSSEC, MTA-STS, TLSRPT, CAA, autoconfig/autodiscover for desktop clients. The SIDN review noted this as the most comprehensive implementation of the current email security stack.

Built-in webmail: Mox includes a minimal webmail — functional but not Roundcube-polished. Adequate for occasional browser-based access; most users will use Thunderbird or Apple Mail via IMAP.

Spam filtering: Bayesian filter with per-user learning. Trains on your mail over time — effective for personal use; requires tuning for organizational deployment.

Maturity caveat: v0.0.15 is the author being honest about stability. Mox is NLnet-funded, interoperability-tested against Gmail/Outlook/Yahoo/Proton, and used in production. The v0.0.x version signals that the developer hasn't declared it production-stable — not that it's broken. The progression to v1.0 will happen as the test coverage and API stability targets are met.

Best for: Technically comfortable users who want a modern, lean, single-binary email server with excellent security defaults and minimal operational complexity. The best option for solo/personal use and small organizations without Docker expertise.

The Ecosystem: Mailcow, iRedMail, Mailu

Three other options worth knowing:

Mailcow — Docker-based full groupware stack (Postfix, Dovecot, SOGo, Rspamd, ClamAV, ActiveSync). The most feature-rich traditional alternative. Minimum 6 GB RAM; recommended 8 GB for 5–10 users. Runs ClamAV virus scanning by default — this alone adds ~1 GB RAM. Best for teams that want a complete Exchange-like groupware replacement with shared calendars, contacts, and virus scanning.

iRedMail — Traditional Postfix/Dovecot stack, optional Roundcube or SOGo webmail. The lightest option at 2 GB RAM minimum. Free OSE edition plus paid iRedAdmin-Pro admin UI. Best for budget-constrained single-domain deployments.

Mailu — Docker-based, designed to be simpler than Mailcow at lower resource cost. 2 GB RAM minimum. Smaller community and less active development than Mailcow. Best for users who want Docker convenience without Mailcow's resource demands.

Deliverability: The Hard Part

Every self-hosted email guide glosses over IP reputation. This section doesn't.

VPS IPs start with zero reputation. Every major provider (Gmail, Outlook, Yahoo) assigns a trust score to sending IPs based on history. A fresh VPS IP has no history, so inbound mail from it is throttled, occasionally bounced, and sometimes filtered to spam — even with perfect SPF/DKIM/DMARC.

How to warm up an IP:

Send small volumes first — 10–20 emails/day for the first two weeks
Only to people who expect mail from you — bounces and spam reports crater your reputation permanently
Monitor blacklists — check MXToolbox Blacklist Check weekly for the first month
Verify your PTR record — reverse DNS must resolve to your hostname. Check with your VPS provider; many allow custom PTR records. Without it, major providers reject your mail.
Check port 25 — some VPS providers block outbound port 25 (used for server-to-server SMTP). Verify with telnet smtp.gmail.com 25 from your server.

All three tools automate the authentication setup correctly. SPF, DKIM, and DMARC are the necessary conditions for deliverability — but not sufficient. IP reputation is earned over weeks, not configured in an afternoon.

For transactional or bulk sending: Don't use your self-hosted server. Route transactional email (password resets, notifications) through SES, Mailgun, or Postmark. Your self-hosted server handles your personal/organizational incoming and outgoing correspondence. The distinction matters.

Resource Requirements

Server	Min RAM	Practical	Notes
Mail-in-a-Box	512 MB (official)	1–2 GB	SpamAssassin memory-hungry
Stalwart	1 GB	1–2 GB	~50 MB idle in Rust
Mox	512 MB	512 MB–1 GB	Go binary very lean
Mailcow	4 GB (min)	6–8 GB	ClamAV + Rspamd add up
iRedMail	2 GB	2–4 GB	Lightest traditional stack

A $6–10/month VPS with 2 GB RAM handles Mail-in-a-Box or Mox comfortably for personal use or a small team (<20 users). Stalwart runs on even less at idle. Mailcow needs at least a $20/month instance.

When NOT to Self-Host Email

Self-hosting email makes sense for privacy, control, and cost savings at scale. It does not make sense if:

Your organization depends on zero-downtime email — you are the SLA. Provider-hosted email has 99.9%+ uptime; your VPS will have incidents.
You're sending bulk or transactional email — self-hosted IPs get blacklisted for volume. Use a dedicated sending service.
Your team is non-technical — maintaining a mail server is a developer/sysadmin task. A single misconfiguration can lose email permanently.
You're in a jurisdiction with strict compliance requirements — HIPAA, certain financial regulations require signed agreements and specific controls that managed providers offer out-of-the-box.

For most individuals and privacy-focused small teams, self-hosted email is viable and rewarding. For organizations where email is mission-critical infrastructure, pay for a managed provider with an SLA.

Choosing Your Tool

Your situation	Best choice
Complete beginner, want everything automated	Mail-in-a-Box
Want modern single binary, good security defaults	Mox
Need JMAP, CalDAV/CardDAV, or clustering	Stalwart
Want Docker + groupware (shared calendars)	Mailcow
Lowest possible resource cost (2 GB VPS)	iRedMail or Mox

Browse all email alternatives at OSSAlt. Related: Nextcloud vs Google Workspace migration, Schleswig-Holstein's full Microsoft exit.

Comments