Shroud.email is fully libre and open-source, and can be deployed on your own infrastructure. We provide a Docker Compose file for easy deployment.
You’ll need a server running on the public Internet, with ports 25, 80, and 443 open. In addition, you’ll need access keys for an S3-compatible object storage service.
Support for self-hosting setup is still new. Please open an issue on GitHub if you run into problems!
Clone our repo
You can find our
docker-compose.yaml on GitHub. Start by cloning this repo.
Step 1: Create DNS records
Shroud.email uses two domains. If your domain is e.g.
example.com, then the first domain (
.env) is where the web UI will be served (e.g.
app.example.com). The second domain (
EMAIL_DOMAIN) is the domain used by email aliases. For this, you can use your root domain, so that email aliases will end in
Note that your
APP_DOMAIN cannot be the same as your
|A||example.com||your IP||Needed to get SSL certificate for example.com|
|TXT||example.com||v=spf1 mx -all||Don’t allow other servers to send emails from your domain|
Step 2: Setup SPF
SPF (Sender Policy Framework) prevents others from forging emails from your domain.
If you added the SPF TXT record above, this should already be done. You can check your SPF configuration using free online tools like this one.
Step 3: Setup DKIM
DKIM (DomainKeys Identified Mail) uses public-key cryptography to sign messages from your domain, so recipients can be sure that emails were not forged.
First, generate your keypair. From the repo you cloned, run the following:
# cd to the dkim directory so keys are created in the right place $ cd haraka/haraka_config/config/dkim $ ./dkim_key_gen.sh example.com # use your domain
Now, look in the directory
./example.com/dns. This file shows the TXT DNS record you need to add.
Step 4: Set up DMARC
We’re getting there! DMARC builds on top of SPF and DKIM to tell recipients how to verify that emails really came from you.
Add the following TXT record for
[email protected] with your own email address:
v=DMARC1; p=none; ruf=mailto:[email protected]
This tells recipients to send a message to you if there are any DMARC errors.
Run the app
Step 1: Configure
cp example.env .envand enter your configuration in
EMAIL_DOMAIN. It should be a plaintext file with only this value, e.g.
Step 2: Run it
docker compose up -d
And if you want to view logs:
docker compose logs -f
Step 3: Bundle SSL certificates
Once you see in the logs that Caddy has setup certificates for your domains, you can continue. Now that we have the certificates, we need to convert them to a format that the SMTP relay can understand. Run the following command:
docker compose exec cron /etc/periodic/daily/bundle_certs docker compose restart haraka
You only need to run this manually once; going forward it will run automatically once per day.
Step 4: Harden DMARC
Now you’re up and running, see if you receive any DMARC reports on the email you specified earlier.
If not, you can tighten your configuration by updating your DMARC TXT record to the following (again, replacing
[email protected] with your own email address):
v=DMARC1; p=quarantine; aspf=s; adkim=s; ruf=mailto:[email protected]
Test your setup
Assuming you’ve already read about considerations when self-hosting, you know that it’s worth being careful when running your own mailserver.
Now, you should run some checks against your mailserver to ensure that you’re not running an open relay, that your SPF/DKIM/DMARC are configured properly, and that you’re not on any blocklists.
Here’s a non-exhaustive list of useful websites that can help check your configuration: