Self-hosted email infrastructure for the Zenpower ecosystem. Postfix MTA with full authentication chain: DKIM signatures, SPF authorization, and DMARC policy enforcement. No third-party email provider. No data leaves Austrian jurisdiction.
mail.zenpower.at / Postfix MTA / DKIM + SPF + DMARC / TLS enforced / Austrian sovereignty
Authentication Chain
Four layers of email authentication ensure deliverability and prevent spoofing. Each layer is independently verifiable by any receiving mail server.
Sender Policy Framework
DNS TXT record declares which IP addresses are authorized to send mail for zenpower.at. Receiving servers reject or flag messages from unauthorized senders.
DomainKeys Identified Mail
Every outbound message is cryptographically signed with a domain key. The public key is published in DNS. Receiving servers verify the signature to confirm message integrity and origin.
Domain-based Message Authentication
DMARC policy tells receiving servers what to do when SPF or DKIM fail: reject, quarantine, or report. Aggregate reports provide visibility into spoofing attempts and deliverability.
Transport Layer Security
STARTTLS on port 587 for submission, mandatory TLS for server-to-server relay. Certificates managed by Traefik with automatic Let's Encrypt renewal.
Architecture
Postfix MTA
Battle-tested mail transfer agent. Handles SMTP relay, queue management, and delivery. Configured with strict relay controls — only authenticated users and internal services can send.
Milter Filtering
Mail content filtering via milter protocol. Spam scoring, virus scanning, and policy enforcement happen before messages hit the queue. Rejected mail never touches storage.
DNS Records
MX, SPF, DKIM, and DMARC records managed through Cloudflare DNS. Reverse DNS (PTR) configured on the server IP for deliverability. All records are publicly auditable.
Monitoring
Mail queue depth, delivery latency, bounce rates, and DMARC aggregate reports tracked through the platform monitoring stack. Alerts on delivery failures.
DNS Records
Public DNS configuration for zenpower.at mail delivery. All records are verifiable with dig or any DNS lookup tool.
| Type | Host | Purpose |
|---|---|---|
| MX | zenpower.at | Routes inbound mail to mail.zenpower.at |
| A | mail.zenpower.at | Mail server IP address |
| TXT | zenpower.at | SPF record — authorized sender IP list |
| TXT | default._domainkey | DKIM public key for signature verification |
| TXT | _dmarc.zenpower.at | DMARC policy and aggregate report destination |
| PTR | server IP | Reverse DNS — resolves back to mail.zenpower.at |
Why Self-Hosted
Data Sovereignty
Email content never passes through third-party servers. No Google. No Microsoft. No SendGrid. Messages are stored on infrastructure controlled by Zenpower under Austrian and EU jurisdiction.
No Vendor Lock-in
Standard SMTP/IMAP protocols. Any mail client works. Migration is trivial because there is nothing proprietary to escape from.
Full Audit Trail
Every message, every relay decision, every authentication check is logged. Complete visibility into mail flow. No black box between send and delivery.
Cost Efficiency
No per-seat licensing. No volume pricing tiers. The marginal cost of one more mailbox is zero. Infrastructure is already running.