Stalwart Mail Server: Complete Self-Hosted Email Guide

1. What Is Stalwart?

Stalwart Mail Server (developed by Stalwart Labs) is a modern, open-source mail server written entirely in Rust. Unlike traditional setups that chain together Postfix, Dovecot, Rspamd and a constellation of other daemons, Stalwart ships as a single binary that handles every mail protocol and function you need:

• SMTP — sending and relaying email (with full RFC 5321 compliance)
• IMAP4rev2 — mail retrieval for clients (RFC 9051)
• POP3 — legacy mail download protocol
• JMAP — JSON Meta Application Protocol (RFC 8620 / 8621), the modern alternative to IMAP
• ManageSieve — remote management of Sieve filter scripts
• Built-in spam & phishing filter — no external Rspamd or SpamAssassin needed
• WebAdmin UI — browser-based administration panel
• REST API — full programmatic control

The project is licensed under the AGPL-3.0 (open-source) with an optional commercial enterprise licence that removes the copyleft requirement and adds priority support. It is actively maintained on GitHub with regular releases.

2. Why Choose Stalwart?

Running your own email server has historically been one of the most complex and fragile self-hosting projects. Stalwart is designed to change that calculus.

2.1 Single-binary simplicity

Traditional self-hosted email stacks require at minimum Postfix (SMTP), Dovecot (IMAP), and a spam filter like Rspamd — each with its own configuration syntax, log format, and failure modes. Stalwart collapses all of this into one process, one config file, and one place to look when something goes wrong.

2.2 Written in Rust

Rust's memory-safety guarantees eliminate entire classes of vulnerabilities — buffer overflows, use-after-free bugs, and data races — that have historically plagued C-based mail servers. Beyond security, Rust's performance characteristics give Stalwart exceptional throughput with low memory overhead: a fresh installation with no messages consumes under 50 MB of RAM.

2.3 First-class JMAP support

IMAP was designed in 1986 and extended repeatedly. JMAP (JSON Meta Application Protocol) is its modern replacement: stateless, JSON-based, push-friendly and suitable for mobile clients on unreliable connections. Stalwart is among the most mature JMAP implementations available and supports JMAP for Mail (RFC 8621) fully.

2.4 Modern email authentication built in

SPF verification, DKIM signing and verification, DMARC enforcement, ARC (Authenticated Received Chain) sealing, and BIMI (Brand Indicators for Message Identification) are all built into the core — not bolted on via milters or external scripts.

2.5 When Stalwart might NOT be the right choice

• You need a full groupware suite (calendar, contacts, tasks) — consider Mailcow or Mailu which bundle Roundcube or SOGo.
• You want a point-and-click GUI that abstracts all configuration — Stalwart's WebAdmin is powerful but not beginner-proof.
• Your compliance requirements demand a commercially certified solution with formal SLAs.

3. Architecture Overview

Internet
    │
    ▼  port 25 (SMTP ingress)
┌───────────────────────────────────────┐
│             Stalwart Binary           │
│                                       │
│  ┌──────────┐  ┌──────────────────┐  │
│  │   SMTP   │  │  Spam / DNSBL /  │  │
│  │  engine  │→ │  Auth filter     │  │
│  └──────────┘  └──────────────────┘  │
│                        │             │
│  ┌─────────────────────▼──────────┐  │
│  │         Message Store          │  │
│  │  (RocksDB / SQLite / PgSQL…)   │  │
│  └─────────────────────┬──────────┘  │
│                        │             │
│  ┌─────────┐  ┌────────┴───────┐    │
│  │  IMAP4  │  │  JMAP / HTTP   │    │
│  │  POP3   │  │  WebAdmin API  │    │
│  └─────────┘  └────────────────┘    │
└───────────────────────────────────────┘
    │           │            │
  port 993    port 443    port 8080
  (IMAPS)    (JMAP/HTTPS)  (Admin)

All components share the same in-process message store and configuration object, which means there is no IPC overhead between a "receiving" daemon and a "serving" daemon — a design that significantly simplifies consistency and reduces latency on large mailboxes.

4. System Requirements

Important: Most residential ISPs and many cloud providers (AWS EC2, Google Cloud) block outbound port 25 by default. You will need a VPS or dedicated server where port 25 is explicitly available — Hetzner, OVH, Contabo and DigitalOcean (with a ticket) are popular choices.

5. Installation

5.1 Install via the official install script

The quickest path is the one-line installer, which downloads the appropriate binary for your architecture, creates a systemd service, and sets up the default directory structure under /opt/stalwart-mail:

# Download and run the install script (as root)
curl --proto '=https' --tlsv1.2 -sSf \
  https://get.stalw.art/install.sh | sh

The script will prompt you for:

1. Your primary mail domain (e.g., example.com)
2. Your hostname (e.g., mail.example.com)
3. The storage backend to use (defaults to RocksDB for single-server setups)

5.2 Manual binary install

If you prefer to manage the process yourself, download the pre-built binary from the GitHub Releases page:

# Example for Linux x86_64 — check releases page for latest version
wget https://github.com/stalwartlabs/mail-server/releases/latest/download/stalwart-mail-x86_64-unknown-linux-gnu.tar.gz
tar -xzf stalwart-mail-x86_64-unknown-linux-gnu.tar.gz
sudo mv stalwart-mail /usr/local/bin/
sudo chmod +x /usr/local/bin/stalwart-mail

# Create required directories and a dedicated user
sudo useradd -r -s /sbin/nologin stalwart
sudo mkdir -p /opt/stalwart-mail/{data,logs,queue,config}
sudo chown -R stalwart:stalwart /opt/stalwart-mail

5.3 Running as a systemd service

Create /etc/systemd/system/stalwart-mail.service:

[Unit]
Description=Stalwart Mail Server
After=network.target

[Service]
Type=simple
User=stalwart
ExecStart=/usr/local/bin/stalwart-mail --config /opt/stalwart-mail/config/config.toml
Restart=on-failure
RestartSec=5
LimitNOFILE=65535

[Install]
WantedBy=multi-user.target

sudo systemctl daemon-reload
sudo systemctl enable --now stalwart-mail
sudo systemctl status stalwart-mail

6. Initial Configuration

Stalwart uses a TOML configuration file (by default at /opt/stalwart-mail/config/config.toml) and a key-value store for dynamic settings that can be changed at runtime via the WebAdmin or REST API.

6.1 Core config structure

The configuration is divided into logical sections. Below is an annotated skeleton covering the most important settings:

[server]
hostname = "mail.example.com"

# SMTP listener (port 25 — inbound from internet)
[[server.listener]]
id = "smtp"
bind = ["0.0.0.0:25"]
protocol = "smtp"
tls.implicit = false   # STARTTLS, not implicit TLS

# SMTP submission (port 587 — outbound from clients)
[[server.listener]]
id = "submission"
bind = ["0.0.0.0:587"]
protocol = "smtp"
tls.implicit = false

# IMAPS (port 993)
[[server.listener]]
id = "imaps"
bind = ["0.0.0.0:993"]
protocol = "imap"
tls.implicit = true

# HTTPS — JMAP + WebAdmin (port 443)
[[server.listener]]
id = "https"
bind = ["0.0.0.0:443"]
protocol = "http"
tls.implicit = true

[storage]
data = "rocksdb"    # primary message store
blob = "rocksdb"    # attachment/message body store
lookup = "rocksdb"  # rate limiting, anti-spam lookups
fts = "rocksdb"     # full-text search index

[authentication.fallback-admin]
user = "admin"
secret = "CHANGE_ME"   # hashed with argon2 in WebAdmin

6.2 Accessing the WebAdmin

After starting Stalwart, navigate to https://YOUR_IP/admin (or http://YOUR_IP:8080 if you haven't set up TLS yet). Log in with the admin credentials from your config. From here you can manage domains, accounts, DKIM keys, anti-spam rules, queues, and server settings — all without editing config files manually.

7. DNS Setup: MX, SPF, DKIM & DMARC

Correct DNS is the most important factor for email deliverability. A missing or incorrect record will cause your mail to be silently dropped or rejected by Gmail, Outlook, and other major providers.

7.1 MX Record

The MX record tells the internet where to deliver mail for your domain. Add this to your DNS zone:

; Zone: example.com
@   IN  MX  10  mail.example.com.
mail IN  A      203.0.113.1       ; your server's IP
mail IN  AAAA   2001:db8::1       ; IPv6 (recommended)

7.2 Reverse DNS (rDNS / PTR)

Set a PTR record for your server IP that resolves back to your mail hostname. This is configured through your VPS provider's panel, not your domain registrar:

; PTR record (set in your VPS/hosting panel)
1.113.0.203.in-addr.arpa  IN  PTR  mail.example.com.

Without a matching rDNS record, many receiving mail servers will reject or heavily penalise your messages.

7.3 SPF Record

Sender Policy Framework authorises which IP addresses are permitted to send mail for your domain:

; TXT record on example.com
@  IN  TXT  "v=spf1 mx ~all"

mx means "the IPs in this domain's MX records are authorised". ~all means "softfail everything else" (recommended over -all hard-fail until you're confident your setup is complete).

7.4 DKIM

DomainKeys Identified Mail signs outgoing messages with a private key. The recipient verifies the signature against a public key published in DNS. Generate a DKIM key pair in Stalwart's WebAdmin under Settings → Domains → Your Domain → DKIM. Stalwart will display the DNS TXT record you need to publish:

; TXT record — selector is usually "stalwart" or a date string
stalwart._domainkey.example.com  IN  TXT  "v=DKIM1; k=rsa; p=MIIBIjANBg..."

7.5 DMARC

DMARC ties SPF and DKIM together and tells receiving servers what to do when a message fails both checks:

_dmarc.example.com  IN  TXT  "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; pct=100"

• p=none — monitor only (start here)
• p=quarantine — move failures to spam
• p=reject — refuse failures outright (end goal)
• rua — address to receive aggregate reports (invaluable for diagnosing delivery problems)

7.6 MTA-STS and DANE

MTA-STS (RFC 8461) forces TLS for inbound connections to your server by publishing a policy file and DNS record. DANE (DNS-Based Authentication of Named Entities) pins your TLS certificate to a TLSA DNS record. Both are optional but strongly recommended for high-security deployments. Stalwart supports both as verification mechanisms on outbound connections.

8. TLS & Certificate Management

Stalwart can manage TLS certificates automatically via ACME (the protocol behind Let's Encrypt and ZeroSSL). Configure it in the WebAdmin under Settings → TLS or in TOML:

[certificate.default]
cert = "%{file:/opt/stalwart-mail/config/tls/cert.pem}%"
private-key = "%{file:/opt/stalwart-mail/config/tls/key.pem}%"

# Or use ACME auto-renewal:
[acme.letsencrypt]
directory = "https://acme-v02.api.letsencrypt.org/directory"
contact = ["mailto:admin@example.com"]
domains = ["mail.example.com"]

When ACME is configured, Stalwart handles certificate issuance and renewal entirely automatically — no cron jobs, no Certbot, no external tooling.

For the best security posture, also enable DANE/TLSA by publishing a TLSA record in DNS once your certificate is stable, and consider enabling SMTP REQUIRETLS (RFC 8689) for highly sensitive mail flows.

9. Managing Accounts & Domains

Stalwart supports four directory backends for account management, letting you integrate with your existing infrastructure:

9.1 Creating accounts via WebAdmin

1. Navigate to Accounts → Add Account.
2. Enter username, display name, password, and storage quota.
3. Assign the account to a domain.
4. Optionally add aliases (e.g., info@, support@).

9.2 Adding a new domain

1. In WebAdmin, go to Settings → Domains → Add Domain.
2. Enter the domain name and configure DKIM key generation.
3. Publish the DNS records shown in the DKIM section.
4. Verify DNS propagation with: dig TXT stalwart._domainkey.yourdomain.com

10. Spam & Phishing Filtering

Stalwart ships with a built-in, composite spam and phishing filter that combines multiple detection techniques without requiring any external daemon:

• DNS Blocklists (DNSBLs): Checks sender IP and domain against lists like Spamhaus ZEN, SpamCop, and URIBL. Configurable list of blocklists and weights.
• Bayesian classifier: A trainable naive-Bayes statistical filter that learns from your flagged spam and ham (non-spam) messages over time.
• URL and phishing analysis: Parses message bodies for suspicious URLs, checks them against phishing feeds, and detects homoglyph attacks (visually similar characters used to spoof domain names).
• Header analysis: Validates DKIM signatures, SPF results, and DMARC alignment — and adds scores when they fail.
• Rate limiting: Throttles senders that exceed configurable message-per-hour or connection-per-minute thresholds.
• Reputation scoring: Builds a local reputation score for each sender based on historical behaviour.

10.1 Configuring spam thresholds

In the WebAdmin under Settings → Anti-Spam, you can tune:

• Spam threshold: Score at which mail is tagged as spam (default: 5.0). Mail above this score is moved to the Junk folder.
• Discard threshold: Score at which mail is silently discarded (default: 12.0). Use with caution.
• Reject threshold: Score at which mail is rejected at the SMTP level (default: 15.0).

10.2 Training the Bayesian filter

The Bayesian filter improves significantly with training. Users can train it by moving messages to/from the Junk IMAP folder — Stalwart watches these moves and updates the classifier automatically (compatible with IMAP client-side training used by Thunderbird and Apple Mail).

11. Sieve — Server-Side Email Filtering

Sieve (RFC 5228) is a scripting language for server-side mail filtering. With Stalwart, every account can have its own Sieve script that runs on message delivery — before the client ever sees the mail. Common uses include:

• Auto-sorting into folders (newsletters to a "Lists" folder, receipts to "Finance")
• Auto-replying when on holiday
• Forwarding specific mail to another address
• Rejecting messages from specific senders

Scripts are managed via ManageSieve (RFC 5804) — supported natively by Thunderbird (under "Message Filters → Manage Server-Side Filters") and by Roundcube, Rainloop and other webmailers. Example Sieve script:

require ["fileinto", "imap4flags"];

# Move newsletters to a dedicated folder
if header :contains "List-Unsubscribe" "" {
    fileinto "Lists";
    stop;
}

# Flag messages from the boss as important
if address :is "from" "boss@company.com" {
    addflag "\\Flagged";
}

12. JMAP — The Modern Email Protocol

JMAP (JSON Meta Application Protocol) was standardised by the IETF as RFCs 8620 and 8621. It is designed to address the fundamental architectural weaknesses of IMAP:

Stalwart fully implements JMAP for Mail (RFC 8621), JMAP for Quotas (RFC 9425), and JMAP for Blob Management (RFC 9404). Clients supporting JMAP today include Fastmail's principles (they co-authored the spec), Mimestream (macOS/iOS), and Ltt.rs (Android). Standard IMAP clients continue to work normally alongside JMAP on the same Stalwart instance.

13. Storage Backends

Stalwart abstracts its storage layer, allowing you to choose a backend appropriate to your scale and operational comfort:

For most self-hosted deployments with fewer than 500 accounts, RocksDB is the right choice: it requires no additional infrastructure and performs excellently. Switch to PostgreSQL when you need HA failover, replicas, or want to query the mail database directly.

14. Security Hardening

14.1 Network firewall

Expose only the ports you actually need. A typical production firewall using ufw:

ufw default deny incoming
ufw allow 22/tcp    # SSH
ufw allow 25/tcp    # SMTP (inbound from internet)
ufw allow 465/tcp   # SMTPS (optional legacy)
ufw allow 587/tcp   # Submission (STARTTLS)
ufw allow 993/tcp   # IMAPS
ufw allow 443/tcp   # HTTPS (JMAP, WebAdmin)
ufw enable

Block port 143 (plain IMAP) and port 110 (plain POP3) unless you have legacy clients that cannot use TLS. Never expose port 8080 (plain HTTP WebAdmin) to the internet after initial setup.

14.2 Disable open relay

An open relay accepts and forwards mail from any sender to any recipient — a quick path to being blacklisted. Stalwart is not an open relay by default, but verify your configuration: under Settings → SMTP → Relay, ensure that unauthenticated clients can only send mail to domains hosted on your server, not to arbitrary external addresses.

14.3 Fail2ban integration

Stalwart logs failed authentication attempts in a parseable format. A Fail2ban jail watching these logs will automatically block IPs after repeated failed logins — essential for protecting the submission port from credential-stuffing attacks.

14.4 Rate limiting

Configure rate limits under Settings → Rate Limiting to restrict how many messages a single authenticated user or IP address can send per hour. This contains the damage if an account is compromised and used to send spam.

14.5 Encryption at rest

For environments with strict data protection requirements, enable Stalwart's at-rest encryption feature, which encrypts message bodies in the store using per-message or per-account keys. This protects messages if the physical storage medium is compromised, though the keys must be accessible to the running server for normal operation.

15. Monitoring & Logs

Stalwart emits structured logs in JSON or human-readable format and exposes a Prometheus-compatible metrics endpoint at /metrics. Key metrics to monitor:

Integrate with Grafana + Prometheus for dashboards, or use the built-in WebAdmin's real-time queue and log viewer for quick debugging without additional infrastructure.

16. Backup & Restore

An email server backup strategy must cover three things: the message store, the configuration, and the DNS records (kept off-server).

16.1 Backing up the message store

For RocksDB: use Stalwart's built-in backup command, which creates a consistent snapshot without stopping the server:

# Create a backup to /var/backups/stalwart/
stalwart-mail --config /opt/stalwart-mail/config/config.toml \
  --export /var/backups/stalwart/$(date +%Y%m%d)

# Or trigger via the REST API:
curl -X POST https://mail.example.com/api/store/backup \
  -H "Authorization: Bearer YOUR_API_TOKEN"

16.2 Backing up configuration

# Just copy the config directory — it's all plain files
rsync -av /opt/stalwart-mail/config/ \
  backup-server:/backups/stalwart/config/$(date +%Y%m%d)/

16.3 Restore procedure

Stop the service, replace the data directory with the backup, restore the config files, then restart. For large RocksDB stores, test the restore procedure in a staging environment before you need it in production — a backup you haven't tested isn't really a backup.

17. Improving Email Deliverability

Even with perfect DNS configuration, new mail servers face a "reputation warmup" period. Major receivers (Gmail, Outlook, Yahoo) apply stricter scrutiny to mail from IPs with no sending history.

17.1 IP warmup

Start by sending low volumes (50–100 messages/day), exclusively to addresses you know are active and engaged. Gradually increase volume over 4–6 weeks. Sudden high volumes from a fresh IP are a strong spam signal.

17.2 Tools to verify your setup

• MXToolbox SuperTool — check MX, SPF, DKIM, DMARC, blacklists in one place
• Mail-Tester — send a test message and get a 10-point deliverability score
• DKIM Validator — verify DKIM signature on individual messages
• dmarcian DMARC Inspector — parse and explain your DMARC record
• Google Postmaster Tools — if you send to Gmail users, enroll your domain to get deliverability feedback directly from Google

17.3 Monitor DMARC aggregate reports

The rua address in your DMARC record will start receiving XML reports from major receivers within 24–48 hours of your first sent messages. These reports reveal which sources are sending mail as your domain, whether SPF and DKIM are passing, and where forgery attempts are coming from. Tools like dmarcian, Postmark's DMARC Digests, or the free tier of URIports parse these XML files into human-readable dashboards.

18. Stalwart vs. Alternatives

Stalwart's main advantages are its unified architecture, Rust memory safety, and native JMAP. Its main disadvantage compared to Mailcow or iRedMail is the absence of a bundled webmail client — you'll need to run Roundcube or Snappymail separately, or point users to a desktop/mobile client.

19. Troubleshooting Common Issues

Mail not being delivered outbound

• Port 25 blocked: Run telnet smtp.gmail.com 25 from your server. If it hangs, your host blocks outbound port 25. Contact your provider or use port 587 to a smarthost relay (SendGrid, Mailgun, etc.).
• IP on a blacklist: Check at MXToolbox Blacklist Check. Request delisting from each list — Spamhaus and other reputable lists have straightforward delisting processes for clean IPs.
• Missing rDNS: Confirm with dig -x YOUR_IP. If no PTR record returns, contact your VPS provider to set one.

DKIM signature failing verification

• Verify the public key is published: dig TXT stalwart._domainkey.example.com
• Check for trailing newlines or whitespace in the DNS TXT record — some DNS panels add them silently.
• Confirm the selector in your Stalwart config matches the selector in the DNS record.

Users cannot connect via IMAP

• Confirm port 993 is listening: ss -tlnp | grep 993
• Verify TLS certificate is valid and matches the hostname clients are connecting to.
• Check the Stalwart logs for authentication errors: journalctl -u stalwart-mail -n 100

WebAdmin returns 502 or is unreachable

• Confirm Stalwart is running: systemctl status stalwart-mail
• If using a reverse proxy (nginx/Caddy) in front of Stalwart, check the proxy's error log.
• Verify firewall allows port 443 (or 8080 for HTTP): ufw status

20. Frequently Asked Questions

Is it safe to run my own email server?

It is safe if configured correctly. The risks come from misconfiguration (open relay, weak passwords, missing TLS) rather than from the software itself. Follow this guide fully, keep Stalwart updated, and monitor your logs — you'll be running a more secure setup than many commercial providers.

Will my email end up in Gmail's spam folder?

With correct SPF, DKIM, DMARC, and a clean IP with proper rDNS, Gmail acceptance rates for legitimate mail are high. The main risk for new servers is the absence of sending history — follow the warmup steps in §17 and your deliverability will improve steadily over the first 4–6 weeks.

Can Stalwart handle multiple domains?

Yes. You can host an unlimited number of domains on a single Stalwart instance. Each domain gets its own DKIM key, and accounts can be assigned to any domain. Virtual alias domains (where all mail for example.org is forwarded to accounts in example.com) are also supported.

Does Stalwart support catch-all addresses?

Yes. You can configure a catch-all recipient that receives mail sent to any address at your domain that doesn't match an existing account. This is useful for legacy addresses or during domain migrations.

What webmail client works with Stalwart?

Any webmail client supporting IMAP or JMAP works. Roundcube (IMAP, widely deployed), Snappymail (IMAP, lightweight), and any JMAP-native client work well. Roundcube can be deployed via Docker alongside Stalwart with minimal configuration.

Is Stalwart suitable for enterprise use?

Yes — Stalwart Labs offers an enterprise licence that removes the AGPL copyleft restriction and includes priority support. For compliance-sensitive environments, Stalwart's at-rest encryption and audit logging features are relevant, though you should assess your specific compliance requirements against the offering.

21. Glossary

22. References & Further Reading

• Stalwart Official Documentation
• Stalwart Mail Server — GitHub
• RFC 8621 — JMAP for Mail
• RFC 7489 — DMARC
• RFC 6376 — DKIM Signatures
• RFC 7208 — SPF (Sender Policy Framework)
• MXToolbox — DNS and email diagnostics
• Postmark — Email Deliverability Guide