Using Posteo with a Custom Domain

Recently I have been taking back control over my data. One of the biggest jumps I made was to ditch Gmail in favor of a privacy-oriented email provider, Posteo. Of all the email providers suggested by PrivacyTools.io, I chose Posteo because of their commitment to sustainability, transparency, and self-sufficiency. They support full encryption of all user data, and yet do so in a way that supports the standard IMAP, CalDAV, and CardDAV protocols for easy syncing (specifically I use DAVdroid to sync to my phone). Their documentation is extensive, they’re reasonably priced (one euro a month), and their migration services are sublime. The put the cherry on the cake, they are recommended by the Free Software Foundation for being fully compatible with LibreJS.

However, Posteo explicitly does not support one key feature which I require: hosting a custom domain. Posteo has a good reason for not supporting custom domains: doing so would require they store the assignment of the domain as unencrypted user information, which violates their privacy promises. I’ve previously written on how I (stupidly, in hindsight) used MailGun to forward ‘[email protected]’ to my Gmail, and likewise send through a legitimate SMTP server. This placed all my incoming and outgoing email on too many servers! That said, there is a simpler solution to forwarding my email. My domain registrar, Gandi, supports easy forwarding to my (private) Posteo email, so I can continue to use my public fronting domain. This is important because (a) this public email is on all my commits and (b) I don’t want to go handing out my Posteo address to everyone; changing emails is difficult!

Posteo also supports “sender aliases” to properly send as ‘[email protected]’, but when spoofing an email like this, you have to set the SPF record for your domain correctly (or risk being classified as spam). This is straightforward, just add v=spf1 include:posteo.de ~all as a TXT record for the @ host. See Posteo’s postmaster site for more details.

Having setup incoming and outgoing email, I thought I was done, but alas, spam is that bane of the internet. While Posteo has great spam-filtering, their philosophy of rejecting spam email instead of putting it in a junk folder means they can’t filter forwarded email, as technically Gandi has already accepted it, and so it can’t be rejected by Posteo. This left me with a lot of spam from my fronting domain! (It’s on all my commits, and has been pwned in practically every data breach.) The last piece of the puzzle I needed was some MX servers that would perform the spam filtering, and forward legitimate emails to Gandi (to then be forwarded to my private Posteo address).

Update - This post previously espoused MX Guarddog, but their service was ineffective for me, and I have switched to Mailroute.

After dealing with spam for weeks, I finally found the solution with MX Guarddog. They do not host email themselves, all legitimate email is forwarded on directly to the upstream SMTP server. That torrent of spam, however, is quarantined from my inbox. The filtering system is configurable, and quarantined email can be reviewed for false positives. Furthermore, they accept spam reports at [email protected], and believe me, when I do get spam, I report it! After putting these services together, I finally have a reasonably private, secure email system, without the spam.

Update: I started seeing “Delivery Failures” being reported by MX Guarddog. Posteo was saying that it rejected email as spam! My first question was, “are they actually spam filtering forwarded email?” This confused me quite a bit, as the failure info did not say which message was rejected. However, when looking at the options for the quarantine report, I noticed this option:

Stealth mode - reports contain no spam summary, only a simple link to view your report online. Use this format if your hosting company often classifies your quarantine report as spam.

I finally realized what was going on! I correlated the dates, and sure enough, I was missing quarantine reports on the same dates of the reported delivery failures. Fortunately, this was easy enough to fix by adding the email address MX Guarddog uses to send me repots to Posteo’s spam filter whitelist. Problem solved.