Deployment
Self-host Shroud.email
Shroud.email is fully libre and open-source, and can be deployed on your own infrastructure. We provide a Docker Compose file for easy deployment.
You’ll need a server running on the public Internet, with ports 25, 80, and 443 open. In addition, you’ll need access keys for an S3-compatible object storage service.
Support for self-hosting setup is still new. Please open an issue on GitHub if you run into problems!
Clone our repo
You can find our docker-compose.yaml on GitHub. Start by cloning this repo.
Configure SPF/DKIM
Step 1: Create DNS records
Shroud.email uses two domains. If your domain is e.g. example.com, then the first domain (APP_DOMAIN in .env) is where the web UI will be served (e.g. app.example.com). The second domain (EMAIL_DOMAIN) is the domain used by email aliases. For this, you can use your root domain, so that email aliases will end in @example.com.
Note that your APP_DOMAIN cannot be the same as your EMAIL_DOMAIN.
| Type | Name | Content | Notes |
|---|---|---|---|
| A | app.example.com | your IP | |
| A | example.com | your IP | Needed to get SSL certificate for example.com |
| MX | example.com | app.example.com | |
| TXT | example.com | v=spf1 mx -all | Don’t allow other servers to send emails from your domain |
Step 2: Setup SPF
SPF (Sender Policy Framework) prevents others from forging emails from your domain.
If you added the SPF TXT record above, this should already be done. You can check your SPF configuration using free online tools like this one.
Step 3: Setup DKIM
DKIM (DomainKeys Identified Mail) uses public-key cryptography to sign messages from your domain, so recipients can be sure that emails were not forged.
First, generate your keypair. From the repo you cloned, run the following:
# cd to the dkim directory so keys are created in the right place
$ cd haraka/haraka_config/config/dkim
$ ./dkim_key_gen.sh example.com # use your domainNow, look in the directory ./example.com/dns. This file shows the TXT DNS record you need to add.
Step 4: Set up DMARC
We’re getting there! DMARC builds on top of SPF and DKIM to tell recipients how to verify that emails really came from you.
Add the following TXT record for _dmarc.example.com, replace [email protected] with your own email address:
v=DMARC1; p=none; ruf=mailto:[email protected]This tells recipients to send a message to you if there are any DMARC errors.
Run the app
Step 1: Configure
cp example.env .envand enter your configuration in.env.- Update
haraka/haraka_config/config/mewith yourEMAIL_DOMAIN. It should be a plaintext file with only this value, e.g.
example.comStep 2: Run it
docker compose up -dAnd if you want to view logs:
docker compose logs -fStep 3: Bundle SSL certificates
Once you see in the logs that Caddy has setup certificates for your domains, you can continue. Now that we have the certificates, we need to convert them to a format that the SMTP relay can understand. Run the following command:
docker compose exec cron /etc/periodic/daily/bundle_certs
docker compose restart harakaYou only need to run this manually once; going forward it will run automatically once per day.
Step 4: Harden DMARC
Now you’re up and running, see if you receive any DMARC reports on the email you specified earlier.
If not, you can tighten your configuration by updating your DMARC TXT record to the following (again, replacing [email protected] with your own email address):
v=DMARC1; p=quarantine; aspf=s; adkim=s; ruf=mailto:[email protected]Test your setup
Assuming you’ve already read about considerations when self-hosting, you know that it’s worth being careful when running your own mailserver.
Now, you should run some checks against your mailserver to ensure that you’re not running an open relay, that your SPF/DKIM/DMARC are configured properly, and that you’re not on any blocklists.
Here’s a non-exhaustive list of useful websites that can help check your configuration: