This week we're talking about shared and self-hosted email with Christian Mollekopf. Christian provides really good insight into hosting your email and how to make sure your email is configured correctly - in particular how to establish trust in your domain.
1. What should someone consider when choosing an email hosting provider?
2. What are the benefits of self-hosting over using a service like Gmail?
3. As a hosting provider, what are some of the pitfalls of hosting email?
4. Are there any common ways email hosting is misconfigured?
Joe: (0:02) Hello and welcome to Next Level Ops, a podcast that explores tools tips and techniques for hosting and managing websites presented by Plesk. I am your host Joe Casabona and this week we are talking about shared and self-hosted email with Christian Mollekopf. I was really excited to get into this conversation because I recently had some troubles with my own shared/self-hosted email. A lot of that comes out in this episode. Christian provides some really good insight into hosting your email and how to make sure your email is configured correctly. So, let's get into that episode. But, before we do, I want to remind you to subscribe to this podcast to get the latest episodes as they come out. If you are enjoying this podcast, please leave a rating and review in Apple podcasts. It really helps people discover the show. All right. Now let's get into it.
Joe: (1:03) Hello and welcome to Next Level Ops a podcast that explores tools tips and techniques for hosting and managing websites presented by Plesk. I am your host Joe Casabona. I am here with Christian Mollekopf. He is the Senior Software Engineer at Apheleia IT. Christian? How are you today?
Christian: (1:24) I am very well. Thanks Joe. How are you?
Joe: (1:27) I am great. Thanks so much for joining us. We are going to talk about something that I recently had a lot of trouble with. So, I am excited to learn a lot and that is shared or self-hosted email. Essentially, you there are services out there like G Suite or Outlook that will do the hosting for you but a lot of hosting providers, web hosting providers will also provide the service of email. So, we’re going to talk a little bit about that. But first, Christian, why don’t you tell us a little bit about who you are and what you do?
Christian: (2:00) So, I am a Senior Software Engineer for Apheleia IT. We develop a groupware product called Kolab. One of my responsibilities is the integration of that into Plesk. It is a core responsibility of me.
Joe: (2:19) Gotcha. You said Kolab? What is it that you do?
Christian: (2:24) Kolab is a communication and collaboration suite. At its core is certainly email and calendaring. But then there is also task management and there is file sharing, etc. So, you have basically a collaboration suite where you can work together with other people within a company for instance, or within a school.
Joe: (2:47) Awesome! Awesome! So it kind of sounds like a self-hosted version almost of Google apps. Is that accurate (or like Zoho) is that an accurate analogy?
Christian: (2:57) Yeah. Definitely. Definitely. We have a special focus also on security and that you maintain control over your own data. So, it’s exactly for that use case, where you can self-host it and be in control of the whole solution.
Joe: (3:14) That’s great. It sounds really interesting and it’s integrated into Plesk too. So, for those listening out there who want to check it out, you can definitely do that. So, let’s jump right into it then. I will set the stage with a personal story. I was paying for two different G Suite accounts. It was just me, so it wasn’t like a lot of money per year, but I figured why have an extra expense when I could self-host email on my hosting provider, which is (I won’t name names). So, I decided to do that. Then a couple of weeks later, I realized that all the email going to that address was being flagged as spam in Gmail and other hosting providers. So, I didn’t do a lot of research. I just set it up because it seemed easy enough. I probably missed a bunch of steps. So, the first question I want to ask you Christian is what should someone consider when choosing an email hosting provider? Is it good enough to say oh my webhost offers it so I should do that? Or I should do GSuite? Or I should look at Kolab? What are some of the things that they should think about?
Christian: (4:27) So, I think usually it’s something that you are going to use for quite a long time. It’s like a very central part of your infrastructure typically. So, I think it’s definitely worth considering a couple of options. There is of course, a lot of different things to consider. First, certainly like the features that you need. Usually, it’s not just email. It’s also other features that you need to go with it. For instance, maybe you need a calendar. Maybe you need to be able share your calendar with other people. Then there is certainly the inter-operability with different clients. You may use your mobile client. You may have a preference for a specific desktop client, so you need to make sure that it works with that. Another very important topic in my opinion is vendor lock in. So, should you ever be unhappy with the solution that you chose, you want to make sure that you can move on because you are going to have a lot of valuable data in that system. So, you want to be able to pull that data out and migrate to another service.
Joe: (5:41) Yeah. I think that’s a really great point, right? Most email service providers, strictly email will provide something like iMap, where you’re essentially pulling things from the server. But if you’ve been with a provider for 5 years even, and then you want to move, that’s probably a lot of email and a lot of other information, like calendar information that you are trying to get out. Some vendors do not make it easy.
Christian: (6:11) Yeah. Sometimes it’s really just like you get a very specific limit, a subset, or they provide extra functionality on proprietary features. That data; you are just not going to get out. If you’re just heavily relying on that, then it is going to be very difficult for you to migrate away. So, I think that is something that you should consider from the start.
Joe: (6:36) Yeah. Absolutely. Especially for a personal email address I am sure like Gmail or whatever is fine, but if this is something your business depends on and if you’re working with something like a lot of personally identifiable information, right? If you’re doing work in a law firm or at least I am more familiar with United States laws, but there’s HIPA, so if you’re doing work with patient data there’s probably some considerations that you should make there for keeping your data “in the cloud” or whatever.
Christian: (7:13) Definitely. There’s also, depending on what you are doing, there’s regulations that you have to be compliant with. You might be a reporter or someone that needs special protection, so you may want to take this into account. For that also things come into play like the jurisdiction where the service runs. Whether they have sufficient protection for your use case. Whether they have transparent terms and conditions, so you understand what your rights are and what is going to happen to your data as well. Certainly, for data usage, a very simple guideline, for instance is whether you are paying for the product. Because if you’re not, it’s very likely that somebody is going to make money based on your data.
Joe: (8:01) Yeah. Absolutely, right? It’s not an old adage, it’s a new adage but if you’re not paying for the product then you are the product, right?
Christian: (8:11) Yes. Exactly.
Joe: (8:13) Fantastic. Well, I think that’s really good. I think that’s set the stage for the next question here which is what are the benefits of self-hosting over using a service like Gmail or G Suite, if you are looking at the business option, right? People will probably look at that ease of use as easy as setting up email can be and say oh well. I’ll just pay Google however much a month and they can think about it for me. What are some of the benefits of not paying Google?
Christian: (8:42) So, I think if we just boil it down to one word, it is basically control. You maintain control over your solution. That’s in many separate ways. So, for one thing if you self-host you have more control over the product itself or the option value that it provides. Usually products that you run have a different integration option with other products, so you can mix and match different solutions to really suit your needs. If you just use a service like Google, then it’s just going to be what it is. Also, if it changes, it’s just going to change. You really can’t do anything about it.
Joe: (9:32) Yeah. I think that’s a great point. I mean we have been seeing it a lot lately where platforms, not necessarily email, I am not as well versed in email platforms changing like this, but you know we’ve seen in recent years Medium say well, we are going to pay wall certain content so that we can make money. If you relied on that as your main blog, then all of a sudden people can’t just read the stuff that you want to put out there for free. Slight oversimplification, but I think I hit the basics there. I think you are absolutely right. Control is super important, especially because of what you said before. There could be regulations or compliance. You are going to be using something for your email for a long time. Email is still the most common. I haven’t done the research on this, but I am pretty sure email is still the most common way that people communicate and especially reach out to new contacts, right?
Christian: (10:42) Definitely. Everybody had an email address. That’s the one common denominator across the globe, I think.
Joe: (10:44) Yeah. Absolutely. Again, here in the United States, it’s like currency. When you go and pay for something, they ask you, they don’t even, when you go to stores here in the United States, they just ask you what your email address is. As if it’s a normal part of the transaction. What’s your email address? I am like, I don’t have one.I say I don’t have one. They are like you don’t have an email address? I am like, not one I give out. So, you are absolutely right. Everybody does have an email address. So, you mentioned having a bit more control over the product and certain features, integrations. If we boil that down a little bit, let’s talk about maybe what to look out for. I think I am skipping a little ahead here, but I’m most interested in, I think everybody has their own favorite email client, right? Some people will use the web interface, but for self-hosted email the web interfaces I’ve used are like SquirrelMail and Horde and they are dated, to say the least.
Christian: (11:51) Sorry to hear that.
Joe: (11:55) That should have been like the first red flag when I signed up for my hosting company’s email. Do you want to use SquirrelMail or Hoarde? I am like what? For those of you who do not know, those are insanely old email clients, like web-based email clients. So, all of that long ramble is to say if you are using a self-hosted solution what are the options for email clients? Obviously, you can use something like Spark or Apple Mail or Android’s equivalent of that, which I don’t know if it’s just the Gmail app. You know, as far as like web-based clients for self-hosting, what’s really out there? I know I didn’t prep you for this, but I am very curious.
Christian: (12:42) So, the Webmail client that we develop is RoundCube mail which is widely used. It provides a very desktop like experience to the tune where even I that normally despise webapps. I am really a fan of the desktop experience. But Roundcube really gives you all those very desktop-like features. Like you have a right click menu, you have desktop notifications for new email, you can drag and drop stuff.
Joe: (13:20) Awesome!
Christian: (13:21) It even works on mobile devices with the new responsive skin so you can use it everywhere for sure.
Joe: (13:31) That sounds great! I think there is a little bit confusion, or there was for me when I first started. I could just switch any of the webmail email clients, but it was unclear what was kind of going on under the hood and what I had to control with my hosting provider versus what I can control in the webmail client. So, my next question or my next couple of questions are around that. First of all, as a hosting provider, what are some of the pitfalls of hosting email, right? You mentioned that your product Kolab is integrated into Plesk. What are some of the things that you have to think about being an email hosting provider?
Christian: (14:18) So I think one of the pitfalls that you hit as you mentioned earlier is called reputation management. That is other services that receive email, they have to fight a lot of spam and one means to do that is that you track the reputation of primarily domains and IP addresses where the email is coming from. So, if your domain or IP has a bad reputation then it is just going to be recognized as spam immediately and you’re not going to get any email delivered. So that’s certainly one of the biggest pitfalls out there. There’s a bunch of others like you need to properly configure your domains to make sure your MX records are there, some reputation related records are there. You need to make sure that if a customer comes in that domain actually belongs to that customer, so it doesn’t just register somebody else’s domain. You have to do capacity planning, etc. etc. There’s a whole laundry list of pitfalls.
Joe: (15:34) Yeah. Yeah. So that’s really interesting, right? Reputation management is a…does age of the service come into play here? If I want to set up an email hosting provider tomorrow will it take some time for my reputation to be good, or do I get the benefit of the doubt first? Am I on thin ice? What exactly does that, maybe not what exactly, but what does that look like from a provider standpoint?
Christian: (16:07) If you are using a new domain that will definitely initially negatively impact your reputation because you can imagine a spammer just will buy a whole bunch of cheap domains and use those for sending out spam. So, if those had a great reputation initially that really wouldn’t work well. So yes. There is going to be some build up to it. It is perfectly feasible. It’s not like you have to wait for years or so. It’s perhaps a couple of weeks or so.
Joe: (16:42) Right. Right. Right. And conversely, with the domain that I have been talking about with my personal story, I have owned that domain since 2004. That was still getting flagged as spam because the MX records, the domain of my provider, there was something amiss there. It’s interesting because it wasn’t blacklisted. But there were some other pieces I was missing. So, can you check the reputation of your email hosting provider or MX record providers, if I am using the right terms?
Christian: (17:22) You can certainly check. There’s a whole bunch of protection mechanisms that are based on your domain which allow the recipient of an email be verified with that email first. It comes from your domain and then it also hasn’t been tampered with. Then you can check a couple of policies to decide whether this is genuine content or not. This is in place to make sure that a spammer can’t just claim that this email comes from your domain and just basically abuse your reputation. Now if you don’t have those protection mechanisms in place, then someone else can just destroy your good reputation of your domain.
Joe: (18:23) Gotcha. So, we talk a lot about WordPress on this podcast. I think that is something a lot of WordPressers specifically run into is maybe they have WordPress sending out email via a contact form or something like that and they’ll run into this issue. It sounds like it’s probably because of these certain policies, right? You maybe haven’t gone through the steps to verify that WordPress is actually sending out email as who it’s claiming to be, right? As you. Maybe your domain is registered somewhere, and your website is hosted somewhere else and the IP addresses don’t match and you haven’t verified that this is actually a legit email transaction.
Christian: (19:12) Yes. That could very well be. It could also be that you’re perhaps on a shared hosting environment where you share your IP address with other people that care less or are even actual spammers. Therefore, the reputation of that IP could be burned already.
Joe: (19:37) It’s almost like if you live in an apartment complex with a neighbor that has crazy parties, loud every night then your whole apartment building gets blamed for it. So, there is a lot around reputation management and making sure that you know, rightfully email clients are making sure that their users aren’t getting spammed. But what are some common ways that email hosting can be misconfigured? What should I have done when I set up my self-hosted email or my email hosted with my website provider?
Christian: (20:19) So the first step is certainly to make sure that email is delivered and your domain is protected from spammers is to set up SPF, DKIM and DMARK. These are three different but related mechanisms. SPF is to make sure that an email is coming from an authorized IP address that allows the recipient to detect if someone else, from say a different part of the world is suddenly starting to send or deliver email on your behalf. Then the second part is DKIM. That’s the Domain Keys Identified Mail. This is basically a signature for the email, which allows the recipient to verify that the email has not been tampered with. So, it’s a hash over the email that allows the recipient to make sure that it hasn’t been modified. Then DMARK ties those two mechanisms together by publishing a policy and establishing a reporting protocol so you can also learn if something went amiss. So, these three mechanisms protect your domain essentially and other services that of course check this like everybody that takes email seriously does this. So those services will then give you a great reputation to your domain then if you don’t have any of these checks in place.
Joe: (22:12) Gotcha. So, your essentially providing credentials for your email. With SPF, this one I am maybe the most familiar with after recent weeks, but this is a text record that goes in your DNS, right?
Christian: (22:28) Yes. Exactly. That allows the recipient to sort of out of band via your domain that you claim that you sent this from allows you to check the DNS record, whether the IP where it actually came from matches that record.
Joe: (22:49) Gotcha. Gotcha. So, someone sends an email on behalf of my domain or I send an email from my domain. The recipient can say Hey! This is saying it’s coming from Casabona.org. It then checks the Casabona.org DNS to make sure I’ve said that wherever sent that email can actually send it as Casabona.org.
Christian: (23:14) Exactly.
Joe: (22:16) Got it. Then DKIM, right? Domain Keys Identified Mail. Is that something that also belongs in the DNS? Is that something that you set up on the server side? What’s just like a high-level overview of what steps you would need to take to make sure you have that?
Christian: (23:34) So, that’s also something that you configure on your mail server that is sending the mail and it’s basically signing your email and then adding a header to the mail that is then coupled with again, a DNS record that allows…so that’s then just then a public key. A public key mechanism which allows the recipients to verify that the email is still in the same form as you sent it. Otherwise, somebody could intercept the email or check a different message that has been tampered with.
Joe: (24:21) Gotcha. Gotcha. So, it’s very similar to like SSL in that sense, kind of, right? It’s making sure that this website that has been sent to my browser was sent from where I think it was from.
Christian: (24:35) Yeah. It’s similar to the certificate infrastructure that we have, like the certificate check that you get when you visit a website, which also checks that this is indeed the website that you intended to visit.
Joe: (24:52) Gotcha. Gotcha. Finally, DMARK. This is the one I am least familiar with. In my travels, at least, I did not see an obvious way for me to do that. There were step by step instructions for SPF. With DKIM, there was like a check box that I just essentially said yeah, use this. What would I have to do to enable DMARK? Is that something that my provider needs to do? Again, a high-level overview here.
Christian: (25:21) So, DMARK ties together DKIM and SPF by publishing another record with a policy that tells the recipient of the email that you have DKIM record, that you have SPF checks enabled and what should happen if any of those checks fail. Then also it establishes the means to report back if something failed. Otherwise, you have the problem, right? That your email doesn’t arrive, and you don’t know why. It just you never hear back. DMARK also provides reporting back if there is a problem that you learn about it so you can fix it.
Joe: (26:08) Gotcha. So, if you have SPF and DKIM is DMARK then assumed or is there like another thing that you need to enable to get DMARK?
Christian: (26:20) DMARK needs to be published separately. That’s also in the DNS record if you are using Plesk, you essentially just set the check box to also enable DMARK.
Joe: (26:33) Gotcha. Gotcha. Well, thank you. That was a great overview and you mentioned Plesk. So, we can go right into the last question here. What features in Plesk help with email hosting?
Christian: (26:47) Yeah. So, the first thing that we just talked about SPF, DKIM and DMARK is built in. That’s a bunch of check boxes that you have to set to enable it. So that makes it very easy to just check those off the list. There’s also other UIs for import measures. So, you can, for instance do rate limit. You can do message size limits which is also important for interoperability with other email services. Because if you for instance send around 200 MG emails, you are just going to get rejected. You want to catch that early and also make sure that you are a good citizen within the email community. So, because that will also protect your reputation as well, right?
Joe: (27:49) Yeah. Yeah.
Christian: (27:52) Otherwise, there’s the Plesk email security extension of course with enhanced anti-spam and anti-virus capabilities. Again, also very important. One on hand you want to protect yourself from spam and viruses of course and your users. On the other hand, you also want to do that outbound to make sure if should a spammer gain access to your system, that you can only do a limited amount of damage. Because, again, your reputation is at stake here.
Joe: (28:28) Yeah. Absolutely. That’s another thing to think about, right? If you accidently open some spam thing, right and it starts emailing all your entire address book that’s going to hurt your reputation, right? Now your email address has become a spam email address.
Christian: (28:45) Yes. If you host an email service, you also need to make sure that…you’ve got the responsibility for that system, so you need to make sure that it is not abused. Plesk definitely offers features there. As I said for instance, the rate limit also severely limits the amount of damage anybody can do. If you are just going to be able to send two messages a minute, then that’s a lot less worse than if you get multiples per seconds.
Joe: (29:20) Well Christian. This has been very educational for me and I know it has been for the listeners too. If people want to learn more about kind of what you’re doing, where can they find you?
Christian: (29:31) If you’re looking for Plesk Premium email which is the name of Kolab integrated into Plesk, it gives you a whole slew of features and exactly for those use cases so you get better protection for instance against cross site request forgery and we have a trouble shooter integrated that highlights various problems. We have, as I talked earlier, the responsive skin full mobile device connectivity, so you’re free to use whatever devices you like. And it provides much more than email. We have various integrations with cFile for file sharing for meta most integration which gives you a very Plesk like experience but host it yourself where you are in full control. We have collaborative editing through Collabora. So, that gives you a full collaboration suite where you are in full control where you can decide where it’s hosted and where you can be sure that the email also arrives.
Joe: (30:36) Awesome! That sounds great. Plesk Premium email. That sounds fantastic. It integrates kind of all the features that you mentioned that Plesk can help with email hosting and a bunch of stuff that we talked about in this episode of Next Level Ops. So, Christian. Thanks again so much for joining us. We really appreciate it.
Christian: (30:55) Thank you very much for having me.
Joe: (30:58) Thanks so much to Christian for joining us this week. I certainly learned a lot and I think that there was some really good insight here. I think probably the biggest take away and the one that kind of rang most true for me was to make sure you have SPF, DKIM and DMARK set up to make sure that your email is getting where it needs to go. So, for all the show notes you can head over to Plesk.com/podcasts. If you like this episode, please consider subscribing and giving us a rating and review on Apple podcast. It will really help people discover the show. Thanks so much for listening to Next Level Ops. Until next time, remember to take it to the next level.