Self-Hosting Business Email with Cloudron: Complete Guide

Why Self-Host Your Business Email?

There's a deeply ingrained assumption in the business world that self-hosting email is either reckless or reserved for spammers. We've been conditioned to accept $8 to $20 per user per month as the cost of doing business, handing our data over to algorithms that turn around and market it right back to us. But that narrative doesn't hold up under scrutiny.

Dave has been self-hosting his business email for over two years now, and he's rolled it out for multiple clients with great results. That's not to say the journey has been perfectly smooth — there are real obstacles around IP reputation and deliverability that you need to know about. But the cost savings and data ownership make it worth exploring, especially if you're running a small to mid-sized operation where those per-user fees add up fast.

Tools and Software You'll Need

The self-hosted email stack has a few moving parts, but Cloudron ties them all together into a manageable package. Here's what's under the hood:

First, you need a server. Hetzner is the recommended choice here because they're relatively lenient about Port 25 access, which is required for sending email. You will need to have your Hetzner account active and paid for a couple of months before they'll open that port — it's their way of preventing spammers from signing up and blasting out junk mail.

Cloudron itself is the server management platform that handles the heavy lifting. It's not open source, but the free plan covers everything you need for email hosting. Under the hood, it runs Dovecot as the IMAP server (responsible for pulling emails into your inbox across any mail client) and Haraka as the SMTP server (handling outbound email). You don't need to configure either of these manually — Cloudron's web interface handles it all.

You'll also need DNS management. Cloudflare is the recommended option because it integrates directly with Cloudron via API, and the free tier is more than sufficient. The idea is to buy your domain from a registrar like Porkbun, then point the nameservers to Cloudflare for DNS management. This separation gives you flexibility and access to Cloudflare's caching for any web applications you might also run on the server.

Setting Up Your Hetzner Server

Spinning up a server on Hetzner is straightforward, but there are a few decisions worth getting right from the start. Cloudron requires a minimum of 2 GB of RAM and 20 GB of storage, so even Hetzner's cheapest plans will work. However, if you plan to run other applications on the same server — your website, other self-hosted tools — it's worth going with a dedicated CPU plan.

The sweet spot is Hetzner's entry-level dedicated plan at around 13 euros per month, which gives you two vCPUs and 8 GB of RAM. That's a serious amount of headroom for email plus additional applications. You can always scale up later, so don't overthink this.

For the operating system, choose Ubuntu 24.04 (or whatever version Cloudron's installation page currently specifies). SSH keys are recommended if you're comfortable with them, but if not, Hetzner will email you the root password. Turn on backups — the 20% cost increase is worth the peace of mind of having server-level snapshots in addition to Cloudron's built-in backup system.

Installing Cloudron via Terminal

This is the only part of the process that involves the command line, and it takes about two minutes. Open your terminal (on macOS, hit Command+Space and type "terminal"), then SSH into your server using the command `ssh root@YOUR_IP_ADDRESS`. Accept the security prompt, paste in your root password (it won't show any characters as you type — that's normal), and you're in.

From there, head to cloudron.io/get.html, copy the three-line installation command, paste it into your terminal, and wait. When the installation completes, it'll prompt you to reboot the server. Say yes, then give it about 35-45 seconds to come back online. After that, you can access Cloudron's web interface by navigating to your server's IP address in a browser.

You'll see a browser warning about the connection not being private — this is expected and temporary. Click through the warning to reach the Cloudron setup screen. From this point forward, everything happens through the graphical interface. No more terminal required.

Initial Cloudron Configuration

The first thing Cloudron asks for is your domain name and DNS provider. If you're using Cloudflare, select it from the dropdown and choose "API Token" as the authentication method. You'll need to create a token in Cloudflare with two specific permissions: Zone > Zone > Read, and Zone > DNS > Edit. Restrict the token to only the specific domain you're setting up.

A common concern is giving Cloudron permission to edit your DNS records, especially if you're already hosting a website on that domain. The good news is that Cloudron will never overwrite existing DNS records without explicit warning. It only adds the records it needs. If you're still uncomfortable, you can choose manual DNS management instead, though the automated approach saves significant time and reduces the chance of misconfiguration.

Leave the Cloudflare proxying checkbox unchecked during setup. It's easier to enable caching selectively for applications that benefit from it rather than having to disable it for services like email that don't. Once your DNS token is connected, Cloudron will automatically create the necessary records and wait for propagation. After a brief wait, you'll be prompted to create your admin account — this username will be tied to your email addresses later on.

Connecting DNS with Cloudflare

With Cloudron installed and your admin account created, the DNS integration starts working immediately. Cloudron creates the initial DNS record so you can access the management interface at my.yourdomain.com — no manual Cloudflare configuration needed.

One of the most powerful aspects of this setup is multi-domain support. You're not limited to a single domain. Under the Domains section in Cloudron, you can add as many domains as your server can handle, each with independent DNS credentials and email configurations. This is particularly useful if you manage multiple businesses or client domains.

The Cloudflare free plan is perfectly adequate for this use case. You get DNS management, basic caching capabilities for web applications, and the API access that Cloudron needs to automatically manage records. There's no need to upgrade to a paid Cloudflare plan unless you have specific requirements around advanced firewall rules or performance optimization.

Enabling and Testing Email

Head to your user profile in Cloudron and navigate to the Email section. You'll see your connected domain with a red indicator — that's because incoming email isn't enabled yet. Click the pencil icon, then enable incoming email. Cloudron will automatically create all the necessary DNS records: DKIM, SPF, and DMARC for outbound authentication, plus the MX record for incoming mail.

Here's where it gets interesting. If you already have email through another provider (like Google Workspace), Cloudron won't overwrite your existing MX record. The outbound authentication records (DKIM, SPF, DMARC) are additive — think of it like being able to mail letters from multiple post offices. But incoming mail (the MX record) is like your home address: mail can only be delivered to one place. You'll need to manually remove the old MX record in Cloudflare before your new server will receive email.

You'll also need to set up reverse DNS (PTR records) on Hetzner for both IPv4 and IPv6. This is done in Hetzner's networking panel — edit the reverse DNS entries to point to your domain name. Cloudron will tell you exactly what values to enter. Once all records propagate (give it five minutes or so), you should see green checkmarks across the board.

Handling IP Blocks and Deliverability

This is the part that gives self-hosted email its bad reputation, and it's a legitimate challenge. When you get a new IP address from a hosting provider, there's a decent chance it's been used before — possibly by someone sending spam. That means your fresh server might already be on one or more block lists.

Cloudron makes this easy to diagnose. The email status page will flag any block list issues and link directly to the removal request forms. In this walkthrough, the IP was flagged by Barracuda. The fix is straightforward: fill out their removal form with a brief, professional message explaining that you've acquired a new IP for legitimate business email. Most block list providers process removal requests within 12 hours.

A practical tip: use an LLM to draft your removal request. Something like "Write a message to request removal from the Barracuda block list for a newly acquired IP address used for business email" will generate an appropriate, professional message. Just make sure to clean up any obvious AI artifacts before submitting.

Deliverability testing through mail-tester.com showed an 8.3 out of 10 initially (with points deducted only for the short test message and the single block list entry). A longer, more realistic test email scored 9.5 out of 10, with the remaining 0.5 points attributed solely to the pending block list removal. Once that clears, it's a perfect score.

Using Email Relays like Amazon SES

If dealing with IP reputation feels like too much overhead — or if you're running a very small operation where low email volume makes it hard to build sender reputation — there's a clean workaround: use an email relay for outbound messages while keeping incoming email fully self-hosted.

Cloudron makes this dead simple. Under the Outbound tab in email settings, switch from the built-in SMTP server to an external relay. Supported options include Amazon SES, Elastic Email, and Mailgun. Amazon SES is the standout choice at roughly 10 cents per 1,000 emails — practically free for business correspondence.

The setup is just copying your SMTP credentials from SES into Cloudron's relay configuration. Make sure you're using SMTP credentials (not API keys) since that's what Cloudron expects. This approach gives you the best of both worlds: complete control over your incoming email and data, with the deliverability guarantees of an established email infrastructure provider.

For very small companies sending only a handful of emails per week, the relay approach is strongly recommended. The time you'd spend monitoring deliverability and managing IP reputation simply isn't worth it when a relay costs fractions of a penny per message.

Creating Users, Groups, and Mailboxes

Cloudron's user model is simple but flexible. Every person who needs an email inbox must have a Cloudron user account. One user account can be tied to multiple email addresses across different domains. To create mailboxes, go to the Email section and add them under the Mailboxes tab — just specify the address (like dave@yourdomain.com) and assign it to a user.

For shared inboxes, Cloudron supports groups. Create a group (like "Support"), add team members to it, and then assign an email address (like support@yourdomain.com) to that group. Every member of the group can log in and access the shared mailbox using their own individual passwords. This is particularly useful for support queues, sales inboxes, or any scenario where multiple people need visibility into the same email stream.

User roles control what people can do within Cloudron itself. The basic "User" role is fine for most people. If you want someone to manage email settings without full admin access, there's an "Email Manager" role. The connection settings for any standard email client (Thunderbird, Apple Mail, Outlook) are available in Cloudron's documentation section — just plug in the server details and authenticate with the email address and Cloudron password.

Spam Filtering and Custom Rules

One of the common concerns about leaving a managed email provider is losing spam filtering. Google and Microsoft have invested heavily in spam detection, and moving to a self-hosted setup does mean you'll likely see more spam initially. But Cloudron has SpamAssassin built in, and it's surprisingly effective once configured.

The spam filtering settings are accessible from the email management interface. You can add custom SpamAssassin rules to target specific types of unwanted messages. If writing spam filter rules sounds intimidating, this is another great use case for an LLM — describe the spam you're receiving (or paste in examples) and ask it to generate SpamAssassin rules. Paste those rules into Cloudron, and the matching messages will be routed to spam instead of your inbox.

Existing spam that's already in your inbox won't be retroactively filtered, but all new incoming messages will be evaluated against your rules. Over the first week or two, you'll likely need to refine your rules as you see what gets through, but it stabilizes quickly.

Installing Roundcube Webmail

While you can access your self-hosted email from any standard mail client, having a webmail interface is convenient for checking email from any browser. Cloudron's app store includes three webmail options: Roundcube, SOGo, and Snappymail. Roundcube is the most established and gets the recommendation here.

Installation takes about 30 seconds through the Cloudron app store. Choose a subdomain (like mail.yourdomain.com), decide whether to make it available to all Cloudron users or restrict access, and hit install. Cloudron handles the DNS record, SSL certificate, and application deployment automatically.

When logging into Roundcube, use your full email address (not your Cloudron username) since a single Cloudron account might be associated with multiple email addresses. The password is your Cloudron account password. From there, you've got a fully functional webmail client for composing, reading, and organizing your email from any device with a browser.

Monitoring, Maintenance, and Final Tips

Self-hosted email isn't entirely set-and-forget — at least not in the first few weeks. Cloudron provides an event log under the email section where you can monitor bounced emails, delivery errors, denied messages, and spam-flagged content. Check this regularly during the initial setup period and then monthly going forward.

Keep an eye on block lists even after your initial removal requests go through. IP reputation can fluctuate, and a sending domain can end up flagged again if there's unusual activity. If you're using the built-in SMTP server (no relay), this monitoring is especially important for small-volume senders where even a single complaint can disproportionately affect your reputation.

The practical bottom line: if you're a solo operator or very small team sending fewer than a dozen emails per day, use an email relay like Amazon SES for outbound and self-host only the incoming side. The time savings on deliverability management far outweigh the negligible cost. For larger teams with consistent email volume, self-hosting both inbound and outbound becomes more viable because the volume itself helps build and maintain IP reputation.

Whichever approach you choose, the per-user cost drops from $8-20 per month to a flat server fee of around $13 per month — regardless of how many email addresses you create. That's the real value proposition of self-hosted email.

Watch the Full Video

Prefer watching to reading? Check out the full video on YouTube for a complete walkthrough with live demos and commentary.