Self-host Shroud.email

Shroud.email is fully libre and open-source, and can be deployed on your own infrastructure. We provide a Docker Compose file for easy deployment.

You’ll need a server running on the public Internet, with ports 25, 80, and 443 open. In addition, you’ll need access keys for an S3-compatible object storage service.

Support for self-hosting setup is still new. Please open an issue on GitHub if you run into problems!

Clone our repo

You can find our docker-compose.yaml on GitHub. Start by cloning this repo.

Configure SPF/DKIM

Step 1: Create DNS records

Shroud.email uses two domains. If your domain is e.g. example.com, then the first domain (APP_DOMAIN in .env) is where the web UI will be served (e.g. app.example.com). The second domain (EMAIL_DOMAIN) is the domain used by email aliases. For this, you can use your root domain, so that email aliases will end in @example.com.

Note that your APP_DOMAIN cannot be the same as your EMAIL_DOMAIN.

Type Name Content Notes
A app.example.com your IP
A example.com your IP Needed to get SSL certificate for example.com
MX example.com app.example.com
TXT example.com v=spf1 mx -all Don’t allow other servers to send emails from your domain

Step 2: Setup SPF

SPF (Sender Policy Framework) prevents others from forging emails from your domain.

If you added the SPF TXT record above, this should already be done. You can check your SPF configuration using free online tools like this one.

Step 3: Setup DKIM

DKIM (DomainKeys Identified Mail) uses public-key cryptography to sign messages from your domain, so recipients can be sure that emails were not forged.

First, generate your keypair. From the repo you cloned, run the following:

# cd to the dkim directory so keys are created in the right place
$ cd haraka/haraka_config/config/dkim
$ ./dkim_key_gen.sh example.com # use your domain

Now, look in the directory ./example.com/dns. This file shows the TXT DNS record you need to add.

Step 4: Set up DMARC

We’re getting there! DMARC builds on top of SPF and DKIM to tell recipients how to verify that emails really came from you.

Add the following TXT record for _dmarc.example.com, replace [email protected] with your own email address:

v=DMARC1; p=none; ruf=mailto:[email protected]

This tells recipients to send a message to you if there are any DMARC errors.

Run the app

Step 1: Configure

  • cp example.env .env and enter your configuration in .env.
  • Update haraka/haraka_config/config/me with your EMAIL_DOMAIN. It should be a plaintext file with only this value, e.g.
example.com

Step 2: Run it

docker compose up -d

And if you want to view logs:

docker compose logs -f

Step 3: Bundle SSL certificates

Once you see in the logs that Caddy has setup certificates for your domains, you can continue. Now that we have the certificates, we need to convert them to a format that the SMTP relay can understand. Run the following command:

docker compose exec cron /etc/periodic/daily/bundle_certs
docker compose restart haraka

You only need to run this manually once; going forward it will run automatically once per day.

Step 4: Harden DMARC

Now you’re up and running, see if you receive any DMARC reports on the email you specified earlier. If not, you can tighten your configuration by updating your DMARC TXT record to the following (again, replacing [email protected] with your own email address):

v=DMARC1; p=quarantine; aspf=s; adkim=s; ruf=mailto:[email protected]

Test your setup

Assuming you’ve already read about considerations when self-hosting, you know that it’s worth being careful when running your own mailserver.

Now, you should run some checks against your mailserver to ensure that you’re not running an open relay, that your SPF/DKIM/DMARC are configured properly, and that you’re not on any blocklists.

Here’s a non-exhaustive list of useful websites that can help check your configuration: