Ask HN: Is it possible to run your own mail server for personal use?

648 points by jdmoreira ↗ HN
Recently I decided that I wanted to run my own MTA. Downloaded qmail, applied a couple of patches and it was done. The problem is making sure my mail is not marked as spam by the major MTAs out there, gmail and hotmail both mark my mails as spam. So far I've:

- made sure I'm not running an open relay (obviously)

- made sure a reverse lookup to my IP matches my host

- made sure my IP wasn't already in any spam IP blacklist

- added SPF

- added DKIM

- run a lot of tests at glockapps.com

It's still not enough. I don't know what else to do, is it possible to run your own MTA, for personal use in 2016? Who, here, is doing it successfully?

313 comments

[ 4.3 ms ] story [ 276 ms ] thread
You didn't understand the question. I already have the mail server running. That's not the problem.
This is probably no help to you, but since you're doing this already, you may know. Is it feasible to self host your own email server but then use something like Mailgun for SMTP?
For what purpose?
I believe it allows you to send outgoing mail using Mailgun which is trusted (doesn't end up in recipient's spam folder) but receive incoming mail to your server.
Most if not all ISPs have MTAs for customer use. I don't know how Comcast would like me submitting from Postfix, but I don't have to worry about that and my personal ISP can handle being a next-hop MTA just fine if I need it.
Yes. I do this. It gets rid of the spam folder problem while allowing you to host the incoming email yourself.
I might go down this route. Great advice! What service do you use? Thanks
I'm with Sparkpost for my personal stuff, at work we use Mailgun.
It's been many years since I've run my own mail server, but especially if you are running your mail server on a public cloud, you should make sure you aren't on any blacklists like Spamhaus: https://www.spamhaus.org/lookup/

EDIT: Looks like this is one of the things https://glockapps.com/ checks.

I already did check my IP. It's not in any known list. But thanks :)
Also check the IPs of your neighbours (in the same subnet or network block). I suspect the big ISPs also look at this, and on Hetzner at least I've found many neighbours with somewhat spammy IPs.
In particular this comment:

https://news.ycombinator.com/item?id=12109727

about some hard-to-find tools that help with Microsoft mail (Live.com / outlook.com / hotmail.com etc). There may have been some similar strange link for Gmail - i only have access to my phone right now, so I can't check my notes.

I believe that was the thing I was missing from my setup (and it was frustrating to debug as mail simply disappeared).

Between a (for now) cacert-certificate (which I think is treated as "self-signed" for most purposes) and SPF - both Google and MS appear to accept my mail. I've turned off ipv6 - if you want it, it might take some extra work.

I'm planning to move to opensmtp "when I have time" and maybe dbmail for the store - now I'm on exim and dovecot.

I get little spam - I do have greylisting set up. What I get is generally to emails leaked in the linked-in and Adobe attacks. I should change those addresses, and reject/black hole the old ones. But for now it's manageable - and is filtered out in my "misc" folder by simple address-basrd filtering (exim .forward file)

(I generally give each site a different mail, se eg my hn profile).

Basically not, if you have other things you're trying to do with your life at the same time.

It's like trying to make a toaster from scratch, or growing your own wheat to make your own bread. It's possible, but it's also impractical and you'll end up with a worse result than you can get off the shelf.

I am running my own mailserver for several years now and it is quite possible. The problem is, that your IP is new to the other MTAs and you need a couple of months to build up the reputation. Services like the one from Microsoft have forms, where you can delist yourself from their blacklists. Even though you are not blacklisted, it helps for the reputation if you fill out the forms with the MTAs you have problems with. Nevertheless it is a constant work (not much..1 hour per week) to keep up the reputation. Just make sure you are not loosing the IP when it starts to work out ;)
Yes, I think this is a great part of the problem. My IP doesn't have any reputation. But how do I build one? I send a very small volume of emails, I'm just one person.
Send legitimate e-mails to people you know on those services. Ask them to mark those e-mails as trusted / not spam. Make sure they reply to at least a few.

I've been running my own e-mail server for years. I have DKIM, SPF, PTR, and everything else set up and my e-mail domains and IP addresses are many years old. Every so often, Gmail still decides to spam-bin me for a week or so.

It takes some time, but even with small amounts it will eventually work out. I started to send requests for whitelisting my ip to the technical support emails as well and some MTAs even have forms for that. Keep running it! The net was made for decentralised services. I think it will even be in 2020 worth it.
Same for me, I'm just one person. After a while you've mailed enough hotmail users that hotmail will accept it as non-spam. Google is trickier, they can get away with a lot more because (even when I explain why it happens) people assume I'm doing something wrong when it's google that configured their spamfilter.

Eventually though, gmail will typically accept email from home IP addresses. Google apps for business seems to be even trickier than that: they have an opt-in strict setting which blacklists (outright rejects) anything remotely suspicious. It'll tell you where you stand through delivery failures, but it also means you'll end up having to call whomever you're trying to reach.

If you go on the blacklist by default then it isn't really a "blacklist", is it? It's a whitelist, and you aren't on it.
Yes. I'm not on the blacklists but I'm also not on the whitelists. That's the problem. It's ridiculous!
Just ask Hillary
It's gonna be really hard. I work at a hosting company and our staff has to work constantly to make sure people's servers get taken off of spam blacklists, or IP blocks of ours need to get removed, etc. There's a lot of stuff to navigate out there, basically kludges that have been put in place because email is just such a terrible, insecure system.

I'm sure if you're willing to put in the effort you can do it. But from my point of view, I'd probably just get a managed VPS with a hosting company who will take care of all the headaches of dealing with spam filters for me. They can be had pretty cheaply and the money is well worth it if you get good support.

Are the IPs being added to blocklists without ever having sent spam?
The spam filtering companies do make mistakes sometimes. Sometimes someone is sending out legitimate mail but it's a new IP sending a bunch of mail and they err on the side of caution.

Or sometimes your IP will just get caught when a spam company decides to spam flag an entire block of IPs.

I think if OP keeps at it, they will find that it's not worth the hassle and for a very reasonable amount of money they could have just had a personal email server where someone else deals with the headaches.

Of course, again, I work for a hosting company so I may be biased here but I'd probably be saying the same thing even if I didn't.

To be fair, your viewpoint is very different from OP's. Where OP is trying to run a one-person mail server, you probably manage thousands of IP addresses and VPSes, which makes for a lot of abuse and effort on keeping reputation, and is an entirely different ballpark.

Therefore I'd advise OP to keep at it, not just switch to a hosting company. Also for the learning experience, though that is secondary.

I'm doing it, also using Qmail. I've felt the same pains as you (even started to suspect that providers might detect mail was being sent by Qmail and scoring that lower (perhaps (only) spammers are using Qmail today?), but more probably my network block (Hetzner.de) is the biggest reason for my difficulties).

Here's what I've done on top of your list:

- backscatter prevention (using my own https://github.com/pflanze/better-qmail-remote)

- do the Google domain verification dance (postmaster tools, configuring their entry in the DNS); still didn't prevent mails ending up in spam, but who knows whether it might still have helped.

- started running mailing lists on it anyway, in spite of me knowing that mails end up in people's spam folders, and simply tell all new subscribers that mails first end up in their spam folders and that once they mark them as non-spam the problem goes away. This seems to be working (people haven't complained), and will over time hopefully give my server the reputation I need.

(PS. I'm also still using DJBDNS, with a config generator written in Scheme, look out for tinydns-scm on my Github)

Why would other MTAs have a buff against Qmail?

I'm using maradns for DNS but I respect djb's software a lot. I'm using his publicfile as an httpd.

I have already added my domains in google's postmaster tools. So far it hasn't helped much

I think the parent's hypothesis was that MTAs would negatively weight any MTA that isn't the custom ones running on Gmail/Outlook/Yahoo servers.
Thanks. Well... that's just terrible.
One thing I learned from my spam filter's logs is that sending email in a slightly weird way is great way to marked as spam. I used to receive a few thousand emails a month that didn't have a Date header - all spam - which is strictly required by RFC2822 but sometimes allowed to be absent. amavis-new easily and correctly detected them.
Just to prevent misunderstandings, I don't think my Qmail setup does anything "weird" at all. Just that if you consciously want to score according to the MTA used, that you can. The only weird thing about a Qmail installation adapted to today (backscatter protection, DKIM, standard Qmail patches) is that not many people are using it.
It's not the MTAs that don't like Qmail, it would (my hypothesis) be the scoring systems run by the ISPs that would (hopefully automatically, i.e. based on statistics) give senders using some MTAs a lower score than others.

Small users generally don't use Qmail anymore, so if you're a small sender and use Qmail, then perhaps that's odd, and iff spammers (perhaps for Qmail's efficiency (1)) are using Qmail often, then...

(1) although you can attain higher efficiency with a custom MTA that's not safe, i.e. big spammers generally don't even retry for efficiency (that's why greylisting works).

A friend of mine runs several mail servers on OpenBSD, using OpenSMTPD, and says he's got almost zero problems and scratches his head on what I'm doing. So there's 3 hypothetical reasons for that for me:

- basically no spammers will be using OpenBSD (why should they?), - and hence also none be using OpenSMTPD, - and hence also none of them will be using a OpenBSD hoster (netblock!).

Relatively many spammers (perhaps not the biggest ones, but still spammy senders) will be using services like Hetzner, and will most likely be running Linux. Now if Gmail etc. do check the MTA you're running, and perhaps do OS fingerprinting, they'll "know" how to judge you.

Anyway, I don't have evidence that Qmail is a big reason, it seems likely the netblock is much more important (or at least that's what I'm inclined to think because the alternative would indeed be rather frustrating).

Been running it for over 15 years. No SPF. No dkim. Never had complaints, though threads like these have me worried.
You and me both. I think the risks are overplayed, but at the same time it's probably about time to join the future with SPF/DKIM/DMARC.
And IPv6 is that future. My resource is that when you start connecting on IPv6 many mail providers will consider SPF and proper reverse DNS mandatory.
For that, I've been looking into freeposte.io, so I can hop onto the container-train at the same time.
I think 15 years of "good behaviour" is exactly what they're missing. gmails 12 years old. If you've had a well-behaved service for as long as they've been keeping track, that probably weighs in your favour much better than anything else.

That said, SPF is worth looking into - but it's more a "good neighbour" thing. Rather than having any direct benefit for you, it helps other hosts spot mails that claim to be from you. "Be the change you want to see" type deal.

There is no excuse for not having SPF and DKIM signing set up in 2016/2017. Bet you don't do opportunist TLS 1.2 either?
You also need a DMARC record (https://dmarc.org) along with your DKIM and SPF records.

Be careful testing your configuration when sending emails to the large providers, you can inadvertently score negative marks against your own reputation, which is hard to recover from.

And setup reporting and forensic reporting. I have a domain that seems to be the default for a botnet, so my daily reports from GMail and Yahoo! always include at least a few IP addresses attempting to submit as admin@[domain].

The reporting sets my mind at ease that those big guys are blocking it and that the (low) legitimate volume of mail to those guys is reasonable.

It's also interesting to note that with DNSSEC, DKIM, SPF and DMARC, the pattern seems to be that some large Chinese mail providers drop DNS responses to try to overcome the "-all" token in the SPF record and "p=reject" token in DMARC. At least the reports show that the authentication (by SPF/DKIM) failed, so that makes me sleep a little better.

Par for the course, I guess. :P

*edit: grammar

No, not really. It's a constant battle to get delisted from spam blacklists and your site keeps popping back up. Even most companies don't bother with it anymore.
> Even most companies don't bother with it anymore.

This is a little bit like "correlation is not causation". Companies are moving a lot of stuff to the 'cloud', and email is just one of the services that goes with it. It's simply cost-saving to not have dedicated IT personnel. Even if hosting your own mail server is easy, you need someone who takes care of it every now and then (disk full, adding users, blacklist incident once a year, etc.).

Your company is amazingly lucky if it only gets a blacklist incident once a year, and if that incident is easily resolved.

The internet seems to have decided that if your mail doesn't come from one of the major commercial mail brokers, it's as good as spam. I ran several private mail servers for several years before giving up. I'm generally suspicious of moving to cloud/services, but outgoing email is the one thing that I can safely say 99% of companies would be better off moving to a service.

I've given up on it for transactional email for any of my small-time SaaS services. Coaxing gmail into accepting my emails was a constant fight. Just when I thought I was good, they'd start blocking me again for some new obscure reason.

I remember fondly the days you could send an email to postmaster@domain.com and get a response from a real human being and at least attempt to have a rational conversation to resolve your mail delivery issues. I've tried that with google, yahoo, et al. and have never received a response.

I just use mailgun/mandrill/etc. these days and forget about it. I also pay $10 a year to a provider for my personal email address.

I've been running my own mail server on AWS for about 3 years now. Postfix, Dovecot, and a Rails app I wrote for webmail. At first I had 0 deliverability but over time it's improved to near 100%. Just setting up SPF, DKIM, not being on a blacklist, and building up a reputation of good mail seems to have worked wonders. I've been wanting to move to DigitalOcean but I don't yet know if there will be a significant hit on my IP reputation.

Postfix occasionally drops a legitimate incoming email due to a misconfigured sender, usually from a domain that doesn't resolve to anything, but I just log those in case I miss something important.

If you change IP addresses when moving to DigitalOcean it will reset your reputation and deliverability. Speaking from recent experience.
Can confirm IP address change will reset 97% of reputation. Domain reputation is almost negligible and content is also much less important.
Are you running it out of your house (e.g. a residential ISP). If you are you'll probably never have much success, all the major email providers block residential IP addresses.
VPS provider. Respectable one.
(comment deleted)
> all the major email providers block residential IP addresses.

Not really. They'll suspect them, especially ones that newly start sending email, but only very rarely block them.

I run my own mailserver and have done since ~2012. I don't have DKIM or DMARC set up but I am using postfix and not qmail. I'm sorry I can't help you with your delivery problem - except that to say that if you didn't have eg rDNS set up to begin with gmail might have a negative cache of it. I haven't had problems with delivery of outgoing mail except to a couple of poorly administered exchange hosts run by recruitment agencies - which complain about my mail but confusingly do still deliver it.

Two real problems I have faced...I once (embarrassingly) created a unix user with test/test credentials for messing about and forgot that my postfix setup at the time reused unix credentials (ssh was locked down to only allow specific user to log in). I sent a few million spams a hour for a couple of weeks, getting my host into all the DNS blocklists. This took some time to fix (you have to apply to have your host removed from the blacklist). While I'm sure sending all that spam was annoying to many other people it didn't actually affect delivery for my mail...so it seems other administrators aren't using DNS blocklists?

Second, after a while I started to get a lot of spam. Maybe 10 per day. I tried various things to handle this, including setting up a proper bayesian spam filter (amavis-new) and using DNS blocklists myself. None of this worked for me. Greylisting however worked great.

So my suggestions to you: use defence in depth for mail as well as ssh. That means, fail2ban, different creds for both, unusual ports, user whitelists, high patchlevels (auto-patch and restart is great for a personal mail server) maybe client side TLS certs...etc. If you're relying on a single layer of defence eventually you'll make a mistake with it and then you're in trouble. I guess that really applies to anything you're trying to secure.

One idea I just had: inspect the headers of your emails as they are received in a gmail account. These will often contain diagnostic information that will help you debug any problems (with SPF/DKIM/etc)
That's a very good suggestion. I pretty much do that every time I make setup changes.
Receiving email is easy. Sending it is much harder.

One of the things that is the most frustrating is that if you end up on a blacklist, or a large provider decides independently not to trust you, it's often completely silent when it blackholes all your outbound emails to that service.

I've just moved over to a hybrid of hosting my own MX servers for incoming email, and forwarding all my outgoing emails to an email-as-a-service provider for outgoing messages. Their trusted IPs usually help delivery, and they're actively paid by their users to have employees making sure that their IP ranges are whitelisted.

I might go down that route. What service are you using? Thanks
Personally, I use MailGun. They have a generous free tier (10,000 messages a month) that I've never exceeded for my personal use.
I've been running my own MTA for about 15 years now, so it's definitely possible without spending the majority of one's waking hours to do so.

Even when I switched mail server IPs twice over the last few years I didn't run into the issues you ran into. A large part of it depends on where you run it - if you, say, run it on your home Internet connection that's usually an immediate strike against you because of the insane number of spammers using backdoor'd PCs to do exactly that.

The only time I ran an MTA out of my home was when I was on a commercial ISP with a fixed IP address, that seemed to be good enough for most services including gmail and hotmail.

These days I run my MTA on a VPS with a reputable hosting provider and don't seem to have that many issues with outgoing mails marked as spam.

SPF and DKIM are pretty much a must these days, so that's a good starting point, as are the rest of the precautions you already too. I assume you're using your own domain, how "old" is that domain? That might also have an impact giving how many phishers and spammers register odd domains and use them for a short amount of time. I've used the same domain since about 1999 so that could make a difference.

I use postfix instead of qmail, but I've used qmail in the past. Both work well and are easier to configure than sendmail or exim IMHO. On top of that I do run amavisd/spamassassin/clamav for the incoming emails as well.

One more thing I've got set up that I didn't see in your list is that I've got TLS set up with a non-self signed certificate for both incoming and outgoing email. I suspect that this also makes a difference even if the other email server won't request a client certificate (most, if not all, won't). Certainly shows up when I send an email over to gmail.

My biggest issues these days are more with incoming email:

- You'll never get to the level of spam filtering that, say, gmail offers. To me, that's OK

- I use greylisting to weed out a lot of the spam that would normally make it through spamassassin, but unfortunately that's when you find out how many people have misconfigured servers that bounce emails when they encounter temporary failures

> if you, say, run it on your home Internet connection that's usually an immediate strike against you

While true, some IP addresses were not previously used, either by home connections or by anyone, so you may be in luck there. There seems to be a correlation with my latest IP switch (three years ago or so) and less mail server trouble.

Most services are also smart enough to learn to trust IP addresses after a little while. Even when SPF and DKIM is ignored, this usually solves it in a few emails.

Being able to use a previously unused IP address is usually a good thing, pity that there are so few of those left.

ISPs definitely seem to have an impact as well, but some spamfilters at least used to automatically assign a negative score to anything originating from an IP block used by an ISP for domestic Internet connections.

Well, there's plenty of IPv6 around. My ISP gives out /48 blocks to all customers together with a single, static v4 address. The difference in number of public addresses is incredible.
Good point, although that's a different rant after I found out that my ISP has an IPV6 enabled backbone but won't allegedly roll out IPV6 to their clients until late this year.
Some ISP turn over their Residential IP Blocks to Blacklist providers to add automatically to the blacklists.

ISP state in their TOS you are not to run "servers" from your home connection, as such they simply blacklist all Residential IP;s from the start, because if you are running a email server on a Residential Connection it is either a Botnet, or you are violating the TOS of your plan.

> ISP state in their TOS you are not to run "servers" from your home connection

I don't know what evil ISP that is but running your own server is 1) encouraged by my ISP since forever (XS4ALL, the Netherlands) and 2) these days it's illegal to tell people not to run servers because of net neutrality laws.

Comcast, ATT, you name it. Any of the Big US ISP's

Current Comcast AUP (http://www.xfinity.com/corporate/Customers/Policies/HighSpee...)

>>use or run dedicated, stand-alone equipment or servers from the Premises that provide network content or any other services to anyone outside of your Premises local area network (“Premises LAN”), also commonly referred to as public services or servers. Examples of prohibited equipment and servers include, but are not limited to, email, web hosting, file sharing, and proxy services and servers;

I've been running my own mail server off of a residential connection since 1998, so... 18 years. I do pay for a static IP, and I switched ISPs away from Comcast (who had inherited me as a customer) when they abruptly started to filter inbound port 25 and claimed I had a malware infestation.

For years it was qmail, but when I wanted to use SMTP/SSL as much as possible, switching to Postfix was easier than maintaining all the qmail patches.

I switched over to Let's Encrypt certs several months ago, and those have been working out quite well for me.

> when they abruptly started to filter inbound port 25

Didn't you mean "outbound"?

No, I didn't.
I don't understand. Many providers block the outbound 25 port because of their distrust of the infected computers of their end losers. What could possibly be their rationale for blocking the inbound 25 port?
A lot of ISPs say you are not allowed to run 'servers' on your home internet, and hence block inbound low ports like SMTP, IMAP, http. It's just extortion.
Incompetence. At least that was the reason why my ISP at the time blocked both outbound and inbound port 25. It took a couple of weeks to convince them that they where wrong and open for inbound again.
FYI they don't filter inbound OR outbound port 25 if you're a Comcast Business customer; in fact I think the only ports they filter for business customers are a couple of ports only used for remote attacks on MS Windows boxes.
You know how Comcast gets the Worst Company in America award every year or two? I really don't feel any desire to go back to them.

As far as I can tell Comcast employs a number of very competent network engineers and an astounding number of horrendous customer service and executive managers.

You are me, almost. I run a small amount of mail out of an OVH box with few issues; before that I hosted from my house on a static IP address.

I don't actually greylist any more, though -- I've found that postfix's protocol violation detection (postscreen[0]) is just as good, if not better, and I like my mail to come through immediately :).

Amavis is set up to do pre-queue filtering, which means that mail is either rejected or delivered (possibly to the spam folder), my server shouldn't be generating its own bounces or dropping messages on the floor.

[0]: http://www.postfix.org/POSTSCREEN_README.html

OVH boxes aren't blacklisted everywhere?
I'm running small scale mail servers. It's not nearly as difficult as the common folklore makes you believe.

Make sure you don't send spam and your server is properly configured. If you are sending mails to people that don't want it then it is spam. "They silently agreed to get our newsletter because it was listed in our ToS on page 357" is not acceptable. No other excuse for sending spam is acceptable. Whenever you send any automated mail there must be an easy way to unsubscribe.

A few more tips:

* Check your mail server on http://multirbl.valli.org/ - if it's in any blacklist try to find out why (there are a few rogue blacklists, ignore them).

* Hotmail allows you to receive a report for every mail that a hotmail user thinks is spam. Use that. Act on it.

* Check your logs for messages that indicate that others think you're spamming.

* E-Mail forwarding is a tricky business these days. Avoid it.

I occasionally get dubious spam rejections, but they don't come from the large hosts. They usually come from some small ISP using a proprietary antispam solution that gives you no insight what's going on.

My suspicion would be that qmail is your problem. There are a great many details that a mail software has to get right, qmail often doesn't do what the email ecosystem expects.

Yes - I just started doing it again. I'm glad I did. I just made sure that I could send/receive mail without issue from the large email systems.
I have been running an Exim4 email server servising several domains for many years, mostly without issue. I do have SPF configured and it is running on a commercial VPS server.

For spam defence I use grey-listing based on DNSBL lookups, some standards-enforcement ACLs and then SpamAssasin via MailScanner on the messages that get through.

Linode + Postfix successfully for years.

Reverse DNS very important and the SPF

Linode have excellent setup documentation ( https://www.linode.com/docs/email/postfix/email-with-postfix... )

I have been running this setup for a few years now and it's great. I used to have a problem with GMail rejecting a lot of forwarded emails as spam but I set up graylisting (http://postgrey.schweikert.ch/) and since then I haven't had a single email rejected. It probably also matters how long you've been running your server so I would expect (assuming you're not actually sending or forwarding spam) to see the number of rejected emails decrease over time.
I ran a setup like this for several years but rejected/spam foldered emails were always a pain, plus a well-appointed mail host uses a fair bit of memory. I use Google mail now. It's not very expensive, and instant unconditional delivery to other Google mail users is a pretty nice perk. The nicest thing is not having the worry in the back of your head that just maybe something has gone awry with your setup and you are losing mail right now.
I did almost exactly what you describe and it works flawlessly, but I only send a small volume of mail (my own). Digital ocean droplet $10 a month, but it would run on a $5 one if you don't also have caldav/sftp/kerberos/vpn/etc there like me.

Fun Fact: Microsoft Exchange has no native support for DKIM and tons of business run that in house, often on 'business class' connections without correct reverse IP records.

> Digital ocean droplet $10 a month

I don't know whether OP uses a home connection, but that makes a big difference. It has some pros and cons:

A VPS (with its dedicated IP address):

- Usually has a good reputation, though you might have bad luck. Switch early on when you notice this. Doing it later just nullifies any trouble you had building its reputation.

- Is hosted somewhere in the cloud. (I used to hate the term "the cloud" but it's actually pretty apt and funny if you start seeing it as "they have no idea where their shit is and who has access to it, both physically and network traffic".)

Hosting at home:

- Might be trouble with your ISP if you don't live in a country with net neutrality and port 25 is closed.

- Gets you a lower reputation score by default, so it takes slightly longer to build.

- Gives you full access control over your email.

There is also a third option, set up a OpenVPN server and connect the home hosted SMTP server to the internet though it, gives you the best of both worlds I figure.
That might actually be a good idea! I wonder whether a hosting provider or ISP is more reliable in not snooping SMTP traffic, but assuming that is equal, it sounds like the best of both worlds indeed.
> is it possible to run your own MTA, for personal use in 2016? Who, here, is doing it successfully?

Hello, I run my own mail server, though admittedly with an attitude of "your spam filter thinks I'm spam? That filter is broken; have fun reading your spambox."

Company email addresses are actually never any trouble anyway, only personal ones (the free ones like yahoo, gmail and hotmail) are the ones where people have trouble with broken filters, so I don't think I'm missing out on anything. And even those filters usually learn (after a few emails to different accounts on the service) that my IP address is not to fear.

I add SPF records but don't sign with DKIM (too much trouble; I set this up years ago when I didn't have much experience yet).

The last time I had trouble sending email was with (of course) google apps. Some company, whose product we were required to use by school, had no privacy policy so I wanted to ask after it. Sending them an email, google's mail server outright refused my IP address to deliver a message (this is extremely rare, usually it goes into a spambox). Google is the only one that can get away with this, given the near monopoly, without people thinking it's an issue on google's side. In the end I just didn't send them an email. Also quite ironic that google, of all companies, is the one standing in the way of my email trying to ask after a company's privacy policy.

This was half a year ago. Before that I can't remember having issues with anyone or anything for another year or so. Given how much I use email and how little spam I receive (catch-all with a blacklist), owning a mail server is totally worth it. Also because I don't have to accept anyone else's privacy policy or consider how many people have access to my inbox (I host at home, not colocated nor VPS).

Regarding spam filtering, you actually can get as good if not better than Google's. I use bogofilter, the main issue though is that when you first start using it will be quite bad at filtering, you will have to continue to train it.

I actually use sendmail with bogofilter-milter.pl script (there is also bogom program with does similar thing) as opposed to usual way of running it with procmail, it essentially does the filtering at the moment it is being sent to you and rejects spam right on the spot. The advantage of it is that sender will get notification that spam was not delivered, also many spammers might drop you from their lists when they can't deliver spam.

Using another method (catch-all with a blacklist) I also get better filtering than gmail can offer. Much less sophisticated and a little more trouble, but much more effective.
> I don't know what else to do

These days you also have to get a bunch of different VPSs and test sending e-mails from their IPs and choose the ones working. That's what e-mail marketing companies do. Because a lot of IPs and subnetworks out there have poor reputation or even completely blacklisted and that reputation is not generally recoverable.

That's what e-mail marketing companies do.

... and that, in turn, is why so many IPs have poor reputations.