<!-- OSSAlt AI-readable guide source -->
<!-- Canonical: https://ossalt.com/guides/self-host-email-mail-in-a-box-stalwart-mox-2026 -->
<!-- Raw Markdown: https://ossalt.com/guides/self-host-email-mail-in-a-box-stalwart-mox-2026/raw.md -->
<!-- Source path: content/guides/self-host-email-mail-in-a-box-stalwart-mox-2026.mdx -->

---
og_image: "/images/guides/self-host-email-mail-in-a-box-stalwart-mox-2026.webp"
title: "Self-Host Email: Mail-in-a-Box vs Stalwart vs Mox 2026"
description: "Self-hosted email compared: Mail-in-a-Box for beginners, Stalwart for power users, Mox for modern simplicity. Setup guide, deliverability, honest risks."
date: "2026-03-16"
author: "OSSAlt Team"
tags: ["email", "self-hosting", "mail-in-a-box", "stalwart", "mox", "smtp", "imap", "privacy"]
---

# Self-Host Email: Mail-in-a-Box vs Stalwart vs Mox 2026

Self-hosting email is the final frontier of infrastructure ownership — and for good reason. Email is harder than a web app. IP reputation, deliverability configuration, and the maintenance reality of keeping a Postfix server healthy are real challenges that most self-hosting guides understate.

This guide is honest about those challenges. It also covers the three best modern options for actually doing it: Mail-in-a-Box (beginner-friendly, automated everything), Stalwart (Rust-powered, enterprise-grade, extremely configurable), and Mox (Go single binary, SIDN-rated best for security standards). We also cover when you should just pay for email and move on.

## TL;DR

**Mail-in-a-Box** if you want everything automated with a single setup script and you're on Ubuntu 22.04. **Mox** if you want a modern single-binary server with excellent security defaults and a built-in quickstart wizard. **Stalwart** if you need JMAP, multi-tenancy, cluster support, or the most configurable email server in the open-source ecosystem. None of these if your primary concern is bulk email delivery — self-hosted servers are for receiving and personal/transactional sending.

## Key Takeaways

- **Mail-in-a-Box**: 15,200 GitHub stars, v74 (Jan 2026), Apache 2.0 — the easiest complete setup (one script, automatic DNS/DKIM/DMARC/TLS)
- **Stalwart**: 11,900 GitHub stars, v0.15.5 (Feb 2026), AGPL-3.0/Enterprise — Rust, JMAP+IMAP+CalDAV+CardDAV, ~50MB idle, no built-in webmail
- **Mox**: 5,600 GitHub stars, v0.0.15 (Apr 2025), MIT — Go single binary, built-in webmail, `mox quickstart` generates all DNS records
- **IP reputation is the hardest part** — VPS IPs start with zero reputation; Gmail/Outlook throttle new senders aggressively
- **Deliverability configuration**: all three auto-configure SPF, DKIM, and DMARC — this is genuinely handled better than DIY Postfix
- **Cost**: ~$5–10/month VPS vs $6/user/month for Google Workspace or $5/user/month for Fastmail

---

## Feature Comparison

| Feature | Mail-in-a-Box | Stalwart | Mox |
|---|---|---|---|
| **Language** | Shell/Python | Rust | Go |
| **Version** | v74 (Jan 2026) | v0.15.5 (Feb 2026) | v0.0.15 (Apr 2025) |
| **License** | Apache 2.0 | AGPL-3.0 + Enterprise | MIT |
| **GitHub stars** | 15,200 | 11,900 | 5,600 |
| **SMTP** | Postfix | Native (Rust) | Native (Go) |
| **IMAP** | Dovecot | Native (Rust) | Native (Go) |
| **JMAP** | No | Yes | No |
| **POP3** | No | Yes | No |
| **Built-in webmail** | Roundcube | No (planned) | Yes (minimal) |
| **Built-in DNS** | Yes (NSD4) | No | No |
| **CalDAV/CardDAV** | Via Nextcloud | Yes (native) | No |
| **SPF/DKIM/DMARC** | Automatic | Automatic | Automatic |
| **DANE/MTA-STS** | Yes | Yes | Yes |
| **Min RAM** | 1 GB practical | 1 GB | 512 MB |
| **Docker** | No (bare metal) | Yes | No (single binary) |
| **Setup complexity** | Low | Medium | Low-Medium |

---

## Mail-in-a-Box

Mail-in-a-Box is the opinion-having, zero-surprises approach to self-hosted email. It installs the entire Postfix + Dovecot + Roundcube + SpamAssassin + Nextcloud (CalDAV/CardDAV) stack and configures everything automatically.

**What "everything automatically" means:**
- SPF, DKIM (OpenDKIM), DMARC, DNSSEC, DANE, MTA-STS — all configured and verified
- Daily health checks confirm DNS records are still correct
- Let's Encrypt TLS renewal automated
- Fail2ban intrusion protection enabled by default
- Backups via Duplicity (local, rsync, or S3)

**Setup:**

```bash
# Fresh Ubuntu 22.04 server
# SSH in as root or sudo user

# Run the installer (you'll be prompted for email address and password)
curl -s https://mailinabox.email/bootstrap.sh | sudo bash
```

After the script completes (20–40 minutes), the admin panel at `https://your-server:10222` shows a checklist of DNS records to create at your domain registrar. Once those propagate, mail flows in and out.

**Hard constraints:**
- Ubuntu 22.04 LTS **only** — no alternatives, no Docker, no other distros
- Intended for a **dedicated server** — running other services alongside is unsupported and breaks updates
- One primary domain per server (multiple domains supported, but secondary)

**Best for:** Users who want to be up and running in an hour with zero configuration knowledge. Accept the opinionated defaults, follow the DNS checklist, and you have a working mail server. It's the right tool for personal use and small organizations that don't need Stalwart's flexibility.

---

## Stalwart

Stalwart is what happens when you build an email server from scratch in Rust in 2023–2026 without carrying forward 30 years of Postfix/Dovecot legacy. It's a single binary that handles SMTP, IMAP, JMAP, POP3, CalDAV, CardDAV, and WebDAV — a full mail and collaboration server.

**Why Rust matters here:** Stalwart uses ~50 MB of RAM at idle (Docker: ~122 MiB). Traditional stacks (Postfix + Dovecot + SpamAssassin + Rspamd) routinely consume 1–4 GB just for services. The memory efficiency is real and significant for VPS deployments.

**Why JMAP matters:** JMAP (JSON Mail Access Protocol) is the modern replacement for IMAP, designed for efficient synchronization on mobile and unreliable connections. While IMAP syncs individual folder changes, JMAP syncs state — it's faster for initial sync, more efficient on bandwidth, and simpler for client developers. Stalwart is the only self-hosted server with full JMAP support alongside IMAP4, making it future-proof.

**Docker setup:**

```bash
# Pull and run the all-in-one Docker image
docker run -d \
  --name stalwart-mail \
  -p 443:443 -p 25:25 -p 587:587 -p 465:465 \
  -p 143:143 -p 993:993 -p 4190:4190 \
  -v /opt/stalwart:/opt/stalwart \
  stalwartlabs/stalwart:latest
```

The first run outputs an admin password. Access the web admin at `https://your-server/`. The admin interface is comprehensive — manage domains, users, DKIM keys, spam rules, and server config all through the UI.

**Docker Compose for production:**

```yaml
version: "3"

services:
  stalwart:
    image: stalwartlabs/stalwart:latest
    restart: unless-stopped
    ports:
      - "25:25"
      - "465:465"
      - "587:587"
      - "143:143"
      - "993:993"
      - "443:443"
      - "4190:4190"
    volumes:
      - stalwart_data:/opt/stalwart
    environment:
      - TZ=UTC

volumes:
  stalwart_data:
```

**After starting:** DNS records must be created manually. Stalwart's web admin generates the correct SPF, DKIM, and DMARC records — copy them into your DNS provider.

**Webmail gap:** Stalwart has no built-in webmail as of early 2026. Webmail development (using Rust/Dioxus) is on the 2026 roadmap. In the meantime, pair with Roundcube or Snappymail as a separate container.

**License note:** Stalwart uses AGPL-3.0 for the community edition plus a proprietary enterprise license. Enterprise features (multi-tenancy, advanced dashboards) require a paid subscription priced per mailbox. Core email functionality is fully open-source. Sponsors contributing $5+/month get an enterprise license automatically.

**Best for:** Advanced users who want the most configurable, scalable, and modern email server. Teams that need JMAP, CalDAV/CardDAV without Nextcloud, multi-tenancy, or clustered high-availability setups.

---

## Mox

Mox is a modern, opinionated mail server written in Go by Mechiel Lukkien. It's a single statically-linked binary with zero external dependencies — download, run, done. The SIDN (Netherlands Internet governance) reviewed four modern mail servers and rated Mox highest for security standard comprehensiveness.

**The quickstart workflow:**

```bash
# Download the Mox binary
wget https://github.com/mjl-/mox/releases/latest/download/mox-linux-amd64
chmod +x mox-linux-amd64

# Run quickstart - generates config and DNS records to add
sudo ./mox-linux-amd64 quickstart you@yourdomain.com

# Start Mox
sudo ./mox-linux-amd64 serve
```

The `mox quickstart` command:
1. Generates a configuration file
2. Automatically generates DKIM keys
3. Prints **every** DNS record you need to add (SPF, DKIM, DMARC, DANE, MTA-STS, CAA, TLSRPT, autoconfig, autodiscover)
4. Provisions Let's Encrypt TLS certificates on first start

**Security standards Mox handles:** SPF, DKIM, DMARC, DANE, DNSSEC, MTA-STS, TLSRPT, CAA, autoconfig/autodiscover for desktop clients. The SIDN review noted this as the most comprehensive implementation of the current email security stack.

**Built-in webmail:** Mox includes a minimal webmail — functional but not Roundcube-polished. Adequate for occasional browser-based access; most users will use Thunderbird or Apple Mail via IMAP.

**Spam filtering:** Bayesian filter with per-user learning. Trains on your mail over time — effective for personal use; requires tuning for organizational deployment.

**Maturity caveat:** v0.0.15 is the author being honest about stability. Mox is NLnet-funded, interoperability-tested against Gmail/Outlook/Yahoo/Proton, and used in production. The v0.0.x version signals that the developer hasn't declared it production-stable — not that it's broken. The progression to v1.0 will happen as the test coverage and API stability targets are met.

**Best for:** Technically comfortable users who want a modern, lean, single-binary email server with excellent security defaults and minimal operational complexity. The best option for solo/personal use and small organizations without Docker expertise.

---

## The Ecosystem: Mailcow, iRedMail, Mailu

Three other options worth knowing:

**Mailcow** — Docker-based full groupware stack (Postfix, Dovecot, SOGo, Rspamd, ClamAV, ActiveSync). The most feature-rich traditional alternative. Minimum 6 GB RAM; recommended 8 GB for 5–10 users. Runs ClamAV virus scanning by default — this alone adds ~1 GB RAM. Best for teams that want a complete Exchange-like groupware replacement with shared calendars, contacts, and virus scanning.

**iRedMail** — Traditional Postfix/Dovecot stack, optional Roundcube or SOGo webmail. The lightest option at 2 GB RAM minimum. Free OSE edition plus paid iRedAdmin-Pro admin UI. Best for budget-constrained single-domain deployments.

**Mailu** — Docker-based, designed to be simpler than Mailcow at lower resource cost. 2 GB RAM minimum. Smaller community and less active development than Mailcow. Best for users who want Docker convenience without Mailcow's resource demands.

---

## Deliverability: The Hard Part

Every self-hosted email guide glosses over IP reputation. This section doesn't.

**VPS IPs start with zero reputation.** Every major provider (Gmail, Outlook, Yahoo) assigns a trust score to sending IPs based on history. A fresh VPS IP has no history, so inbound mail from it is throttled, occasionally bounced, and sometimes filtered to spam — even with perfect SPF/DKIM/DMARC.

**How to warm up an IP:**

1. **Send small volumes first** — 10–20 emails/day for the first two weeks
2. **Only to people who expect mail from you** — bounces and spam reports crater your reputation permanently
3. **Monitor blacklists** — check [MXToolbox Blacklist Check](https://mxtoolbox.com/blacklists.aspx) weekly for the first month
4. **Verify your PTR record** — reverse DNS must resolve to your hostname. Check with your VPS provider; many allow custom PTR records. Without it, major providers reject your mail.
5. **Check port 25** — some VPS providers block outbound port 25 (used for server-to-server SMTP). Verify with `telnet smtp.gmail.com 25` from your server.

**All three tools automate the authentication setup correctly.** SPF, DKIM, and DMARC are the necessary conditions for deliverability — but not sufficient. IP reputation is earned over weeks, not configured in an afternoon.

**For transactional or bulk sending:** Don't use your self-hosted server. Route transactional email (password resets, notifications) through SES, Mailgun, or Postmark. Your self-hosted server handles your personal/organizational incoming and outgoing correspondence. The distinction matters.

---

## Resource Requirements

| Server | Min RAM | Practical | Notes |
|---|---|---|---|
| Mail-in-a-Box | 512 MB (official) | 1–2 GB | SpamAssassin memory-hungry |
| Stalwart | 1 GB | 1–2 GB | ~50 MB idle in Rust |
| Mox | 512 MB | 512 MB–1 GB | Go binary very lean |
| Mailcow | 4 GB (min) | 6–8 GB | ClamAV + Rspamd add up |
| iRedMail | 2 GB | 2–4 GB | Lightest traditional stack |

A $6–10/month VPS with 2 GB RAM handles Mail-in-a-Box or Mox comfortably for personal use or a small team (<20 users). Stalwart runs on even less at idle. Mailcow needs at least a $20/month instance.

---

## When NOT to Self-Host Email

Self-hosting email makes sense for privacy, control, and cost savings at scale. It does **not** make sense if:

- **Your organization depends on zero-downtime email** — you are the SLA. Provider-hosted email has 99.9%+ uptime; your VPS will have incidents.
- **You're sending bulk or transactional email** — self-hosted IPs get blacklisted for volume. Use a dedicated sending service.
- **Your team is non-technical** — maintaining a mail server is a developer/sysadmin task. A single misconfiguration can lose email permanently.
- **You're in a jurisdiction with strict compliance requirements** — HIPAA, certain financial regulations require signed agreements and specific controls that managed providers offer out-of-the-box.

For most individuals and privacy-focused small teams, self-hosted email is viable and rewarding. For organizations where email is mission-critical infrastructure, pay for a managed provider with an SLA.

---

## Choosing Your Tool

| Your situation | Best choice |
|---|---|
| Complete beginner, want everything automated | **Mail-in-a-Box** |
| Want modern single binary, good security defaults | **Mox** |
| Need JMAP, CalDAV/CardDAV, or clustering | **Stalwart** |
| Want Docker + groupware (shared calendars) | **Mailcow** |
| Lowest possible resource cost (2 GB VPS) | **iRedMail** or **Mox** |

---

*Browse all [email alternatives](/alternatives) at OSSAlt. Related: [Nextcloud vs Google Workspace migration](/guides/nextcloud-vs-google-workspace-migration-2026), [Schleswig-Holstein's full Microsoft exit](/guides/schleswig-holstein-replaced-microsoft-open-source-2026).*

For setting up outbound email delivery and DNS properly, the [Stalwart Mail Server](/guides/how-to-self-host-stalwart-mail-server-rust-2026) guide covers SMTP relay configuration, DKIM signing, and SPF/DMARC records — the same requirements apply to any self-hosted mail server.