A multi domain email server runs SMTP and IMAP for multiple domains on shared infrastructure. The question isn't whether one server can host many domains — Postfix and Dovecot have done that for decades — it's which architecture pattern survives the first deliverability incident. The wrong pattern at 20 domains becomes operationally unsustainable by 100.
This guide walks through three architecture patterns for a multi domain email server, where each one breaks, and the buy-vs-build math that decides whether you should run one yourself or use a hosted multi-tenant provider. For the broader pillar context see multi domain mail server.
What a Multi Domain Email Server Actually Is
A multi domain email server is one Postfix/Dovecot stack that accepts and sends mail for multiple distinct domains — the same SMTP transport, the same IMAP storage, the same admin pane, serving client1.com, client2.com, and client3.com simultaneously with full isolation. One server, many tenants.
This is operationally different from "one server, one domain" simplicity and from "many servers, many domains" overhead. The multi-tenant pattern saves infrastructure cost at the price of more careful configuration. Tenant isolation must be correct — Dovecot's auth backend, Postfix's virtual_mailbox_domains, per-domain DKIM keys, per-customer reputation — or one bad tenant takes down deliverability for all of them. Most small-to-medium agencies choose a hosted provider instead of self-hosting precisely because getting this configuration right is the hard part, not the Postfix transport itself.
Three Architecture Patterns and Where Each Breaks
Three patterns dominate multi domain email server deployments in 2026. Each has a sweet spot and a breaking point. Knowing where each pattern breaks decides whether you're picking the right architecture for your current scale or buying yourself a painful re-architecture in two years.
| Pattern | Sweet spot | Breaking point | Operational cost |
|---|---|---|---|
| One server per domain | 1-5 high-value domains | 20+ domains (per-server overhead scales linearly) | High per domain |
| Single multi-tenant multi domain email server | 10-200 domains | 500+ (storage and IP-reputation isolation gets hard) | Low marginal per domain, high baseline |
| Hosted multi-tenant (TrekMail, Migadu) | Any scale, no engineering time | Very specific compliance edge cases | Plan price only, zero engineering |
Most agencies converge on hosted multi-tenant once they realize the engineering cost of running their own multi domain email server exceeds the plan price. TrekMail Agency at $29/month flat handles up to 1,000 domains × 1,000 mailboxes per domain — replacing roughly 1-2 FTE of mail-engineer work with a monthly invoice. The math almost always favours hosted below 500 active domains.
Postfix Multi Domain Email Server Configuration Basics
For operators who do run their own multi domain email server, Postfix supports multi-tenancy via the virtual_mailbox_domains directive. Instead of hardcoding domains into main.cf, you store the list in a hash map, SQL backend, or LDAP query depending on scale.
# /etc/postfix/main.cf
virtual_mailbox_domains = hash:/etc/postfix/vhosts
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_alias_maps = hash:/etc/postfix/valias
virtual_transport = lmtp:unix:private/dovecot-lmtpThe vhosts file lists every domain. The vmailbox file maps addresses to delivery paths. The valias file handles aliases. LMTP hands off cleanly to Dovecot for storage and per-recipient quota enforcement. For per-domain DKIM signing, OpenDKIM with per-domain key tables handles the rotation pattern at scale.
Dovecot's directory layout for a multi domain email server is conventionally /var/vmail/<domain>/<user>/. The %d and %n expansions in mail_location = maildir:/var/vmail/%d/%n handle the routing. Per-domain backups and per-tenant operations stay clean — you can rsync a single tenant out without touching the others. The full Postfix walkthrough is in the multi domain mail server pillar.
Reputation Isolation Across Tenants
The hardest part of running a multi domain email server isn't transport configuration — it's per-tenant reputation isolation. When one tenant runs a bad outbound campaign, the shared outbound IP gets blacklisted. Every other tenant's mail starts failing at Gmail. The damage radius is your entire customer base, not just the tenant who misbehaved.
Three mitigation patterns help. Per-domain DKIM rotation limits compromise blast radius — when one key gets leaked, only that domain's signing needs replacing. Outbound rate limiting per tenant prevents a single compromised mailbox from blasting 100K spam through the shared pool in 20 minutes. Multiple outbound IPs with tenant-IP affinity (heavy senders routed via dedicated IPs) prevents one bad tenant from tanking shared reputation. See multi-domain email hosting risks for the failure inventory.
TrekMail's hosted multi-tenant approach handles all three patterns automatically — per-customer DKIM rotation, per-mailbox and per-account rate caps, IP pool monitoring and reputation-tier routing. Self-hosted operators have to build and maintain this stack themselves. That's a non-trivial engineering project: OpenDKIM with per-domain key tables, a custom rotation cron, a rate-limiting layer in Postfix, and a DMARC report parser are each their own weekend of work.
Self-Hosted vs Hosted Multi Domain Email Server
The buy-vs-build math for a multi domain email server comes down to engineering capacity. Self-hosting looks cheap on infrastructure (a $50/month VPS handles 50 domains' worth of mail volume); it looks expensive when you count the 10-40 hours per month of engineering work for DKIM rotation, DMARC parsing, blacklist appeals, and inevitable 3 a.m. incident response.
At small scale (1-5 domains), self-hosting is fine if you already have a mail engineer. At medium scale (5-50 domains), the engineering hours alone exceed any hosted plan price. At larger scale (50-5,000 domains), hosted multi-tenant beats self-hosted by an order of magnitude on TCO unless you specifically need control no provider gives. The 5,000+ scale needs custom commercial terms regardless of vendor model.
TrekMail Agency at $29/month flat ($23.25 yearly) replaces roughly 1-2 FTE of mail-engineering work with a plan price. For agencies running 50-1,000 client domains, that's the cheapest serious option. Self-hosted only makes sense at this scale if compliance or in-house capacity forces it. The math almost never favours self-hosting unless you already pay an engineer to be available for mail incidents at 3 a.m. For the deeper analysis see the multi-domain mail server pillar.
Onboarding Playbook for a New Multi Domain Email Server Deployment
Spinning up a multi domain email server — hosted or self-hosted — follows the same six-step onboarding playbook. Each step has a checkpoint that confirms the previous step worked before moving on. Skip the checkpoints and you'll be debugging weeks later, unsure which step introduced the issue.
Step one: bulk-import client domains via CSV. TrekMail's bulk-domain import handles 50 domains in one transaction with TXT verification queued automatically. For self-hosted Postfix, the equivalent is writing the vhosts file and running postmap. Checkpoint: every domain's verification TXT record is published and the host shows it green.
Step two: provision per-domain DKIM keys. Hosted multi-tenant providers do this automatically; self-hosted setups need OpenDKIM with per-domain key tables. Checkpoint: every domain has a DKIM selector visible in DNS and signing config in Postfix points at the right key.
Step three: bulk-create mailboxes via CSV or API. Send invite emails so each user sets their own password and 2FA. Checkpoint: every mailbox shows "active" status and at least one user has completed the invite flow successfully.
Step four: publish MX, SPF, DMARC records at each tenant's DNS provider. The MX points at the multi domain email server's hostname; SPF includes the server's sending IPs; DMARC starts at p=none for the audit window. Checkpoint: external mail received at one mailbox per domain.
Step five: run the round-trip authentication test for at least one mailbox per domain. SPF=PASS, DKIM=PASS, DMARC=PASS across Gmail, Outlook, and Yahoo receivers. Checkpoint: zero failures across the test matrix.
Step six: enable DMARC report ingestion. Hosted providers do this automatically; self-hosted setups need a DMARC report parser pointed at the rua address you published. Checkpoint: DMARC aggregate reports are arriving daily from receivers and being attributed to the right tenant. After two weeks of clean reports, tighten policy to p=quarantine.
Next Steps
A multi domain email server is the right architecture pattern for agencies and operators with many client domains. Whether you run it yourself or use a hosted provider depends on your engineering capacity and your operational discipline. Self-hosting works at small scale or where in-house engineering is already paid for; hosted multi-tenant wins at most realistic scales.
For hosted multi-tenant operations, TrekMail Agency at $29/month flat ($23.25 on annual billing) is the cheapest realistic answer for running 50 to 1,000 client domain operations without dedicating engineering headcount to mail infrastructure. The flat-rate model means your costs don't scale linearly with domain count — adding the 100th client domain costs the same as adding the 10th.
The 14-day trial requires a credit card; the free Nano tier covers 10 domains × 10 mailboxes for testing the dashboard without committing to a paid tier. Sign up at trekmail.net/pricing. For the broader operator playbook covering tenant isolation, bulk provisioning workflows, and incident response patterns, see multi-domain email hosting.
