How to Open Port 25 on a VPS: Complete Postfix SMTP Setup Guide
A step-by-step walkthrough of setting up Postfix with SPF, DKIM, and DMARC on a VPS with Port 25 open — so your mail actually reaches the inbox.
Running your own SMTP server is still the cheapest way to send high-volume transactional and marketing email — if your VPS has Port 25 open outbound. Most mainstream cloud providers (AWS, Google Cloud, DigitalOcean, Azure) block it by default because of spam abuse history, so step one is picking a VPS that allows it.
This guide walks through a full production-grade Postfix setup on a fresh Ubuntu 22.04 VPS with Port 25 open. By the end you'll be able to send mail from you@yourdomain.com that lands in Gmail's inbox — not the spam folder.
What you need before you start
- A VPS with outbound Port 25 open (VolkNode VPS plans ship with Port 25 unblocked by default).
- A domain you control with DNS access (Cloudflare, Route 53, Namecheap — anything).
- A clean IP. Check it at mxtoolbox.com/blacklists before you start.
- rDNS / PTR record pointing back to your hostname. Most VPS control panels expose a field for this; set it to something like
mail.yourdomain.com.
Step 1 — Hostname and rDNS
Gmail, Microsoft, and Yahoo all reject mail from servers whose PTR doesn't resolve forward-and-back consistently. Set it up first:
sudo hostnamectl set-hostname mail.yourdomain.com
echo "127.0.1.1 mail.yourdomain.com mail" | sudo tee -a /etc/hosts
Then, in your VPS provider's control panel, set the PTR/reverse DNS for your IPv4 to mail.yourdomain.com. Verify with:
dig -x YOUR_IP +short
Step 2 — Install Postfix
sudo apt update
sudo apt install -y postfix mailutils opendkim opendkim-tools
When the installer asks, pick "Internet Site" and enter yourdomain.com as the mail name.
Open /etc/postfix/main.cf and make sure these are set:
myhostname = mail.yourdomain.com
mydomain = yourdomain.com
myorigin = $mydomain
inet_interfaces = all
inet_protocols = ipv4
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.yourdomain.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.yourdomain.com/privkey.pem
smtpd_use_tls = yes
smtp_tls_security_level = may
smtpd_tls_security_level = may
Restart Postfix: sudo systemctl restart postfix.
Step 3 — SPF
Publish a TXT record on yourdomain.com:
v=spf1 mx a ip4:YOUR_IP -all
The -all means "reject anything else". If you also send through Mailgun, Stripe, or Google Workspace, include them: v=spf1 include:_spf.google.com ip4:YOUR_IP -all.
Step 4 — DKIM with OpenDKIM
DKIM signs every outgoing message so receivers can verify it wasn't tampered with. Generate a key:
sudo mkdir -p /etc/opendkim/keys/yourdomain.com
cd /etc/opendkim/keys/yourdomain.com
sudo opendkim-genkey -s default -d yourdomain.com
sudo chown opendkim:opendkim default.private
Copy the contents of default.txt into a TXT record named default._domainkey.yourdomain.com.
Configure /etc/opendkim.conf:
Domain yourdomain.com
KeyFile /etc/opendkim/keys/yourdomain.com/default.private
Selector default
Socket inet:8891@localhost
And point Postfix at it in /etc/postfix/main.cf:
milter_protocol = 6
milter_default_action = accept
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
sudo systemctl restart opendkim postfix.
Step 5 — DMARC
DMARC tells receivers what to do when SPF or DKIM fail. Start gentle so you don't nuke legitimate mail:
_dmarc.yourdomain.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com"
After two weeks of clean reports, tighten to p=quarantine and eventually p=reject.
Step 6 — Test
Send yourself mail:
echo "Test body" | mail -s "Test subject" you@gmail.com
Then check mail-tester.com — aim for 9/10 or higher. Anything less usually means a missing SPF, DKIM, or PTR record.
Common gotchas
- Port 25 blocked upstream. If
telnet smtp.gmail.com 25hangs, your provider is blocking outbound 25. Move to a host that doesn't — like VolkNode's VPS plans. - Missing rDNS. Gmail rejects with "does not meet IPv6 sending guidelines" even on IPv4 if PTR is wrong.
- Fresh IP reputation. Brand-new IPs need to be warmed up — start with 50 emails/day and double every 2-3 days over 2 weeks.
Wrap-up
Port 25, Postfix, SPF, DKIM, DMARC, rDNS, TLS. That's the full stack. If any one of those six is misconfigured you'll end up in spam. Nail all of them and a $6/mo VPS will out-deliver most managed SaaS at 1/100th the price.
Need a VPS to try this on?
Deploy a VolkNode VPS in 60 seconds — Port 25 open, KVM, NVMe, 35+ locations.
See Pricing