Get Stalwart
SMTP server

A programmable, distributed MTA

Stalwart's MTA delivers your outbound mail and accepts the inbound traffic for it, with sender authentication, transport-layer security, a fault-tolerant queue and a programmable filter pipeline, all in the same product as the rest of the server. Run it next to the mail store on a small deployment, or pull it out into a dedicated outbound tier when the volume grows.

Get started
  • Programmable
  • Distributed
Stalwart delivery dashboard showing messages sent (DSNs, messages, reports) and delivery time over the last 24 hours
Sender and message authentication

Comprehensive sender and message authentication.

Sender authentication is what stops a stranger from emailing your customers as you, and what stops a forged message from your bank from reaching your inbox. Stalwart supports the latest standards in sender and message authentication, with both verification and reporting paths, and pairs them with the automated DKIM rotation on the mail server side so signing keys are generated, published and retired on schedule.

  • DMARC verification, alignment checking and reporting.
  • DKIM signing, verification and failure reporting.
  • SPF policy evaluation and failure reporting.
  • ARC verification on inbound mail.
  • Reverse-DNS validation.
  • Automatic ingestion of received DMARC, TLS-RPT and ARF reports.
Stalwart DMARC report detail with policy domain, alignment, disposition and per-source records
Transport security

Strong transport security between servers.

Stalwart protects mail in transit between servers with the current transport-security standards, so messages stay encrypted, authenticated end to end, and protected from silent downgrade. TLS reports flow in both directions; TLSA records stay in sync with the same automated DNS management that handles MX and DKIM, so DANE keeps validating after a certificate rollover without a second tool in the loop.

  • DANE (DNS-Based Authentication of Named Entities) for outbound TLS.
  • MTA-STS policy fetching and enforcement.
  • SMTP TLS Reporting delivery and ingestion.
  • Automatic TLSA refresh with ACME certificate rotation.
Stalwart delivery test trace showing MX, MTA-STS, TLS-RPT, TLSA, DANE, IP, TCP and STARTTLS stages with timings
Distributed virtual queues

Advanced queue management for efficient delivery.

Stalwart manages outbound delivery with a distributed, fault-tolerant queue, so high-volume mailers, transactional traffic and DMARC report streams do not interfere with each other and a node failure never strands its messages. Each virtual queue carries its own concurrency, retry policy and quota; routing rules can branch on listener, sender, recipient or any other message metadata.

  • Distributed, fault-tolerant queue store; no per-node local spool.
  • Unlimited virtual queues with per-queue concurrency.
  • Delayed delivery, priority delivery and per-queue quotas.
  • Dynamic routing rules and per-domain throttling.
  • Smart-host and relay routing for upstream submission.
Read the outbound queue docs
Stalwart outbound delivery detail showing the queue ID, attempts, MX lookup, MTA-STS check and per-stage timings for a single message
Filter pipeline

Programmable filtering, at every SMTP stage.

Inbound mail can be filtered at every SMTP stage so abusive traffic is rejected as early as possible and legitimate traffic only pays for the checks it actually needs. Sieve scripts cover server-side rules; milter and MTA Hooks plug into existing filtering infrastructure; the built-in spam filter is always available without an extra daemon to install.

  • Sieve scripting with every registered extension.
  • Milter for Rspamd, ClamAV, SpamAssassin or any sendmail-compatible filter.
  • MTA Hooks for HTTP + JSON filters.
  • Built-in spam and phishing filter; no external Rspamd required.
  • Inbound concurrency and rate limiting.
Read milterRead MTA Hooks
connect EHLO AUTH MAIL RCPT DATA built-in filter Sieve Milter MTA Hooks SMTP stages
Envelope and message rewriting

Enforce policy on every message that passes through.

Compliance disclaimers, address normalisation and attachment policy should be enforced by the server, not asked of every user. Stalwart can rewrite envelope addresses, add or remove headers, append disclaimers and strip attachments before queueing or delivery, with rules that branch on listener, sender, recipient or any other message metadata.

  • Sender, recipient and domain address rewriting.
  • Header add, modify and remove.
  • Body modification and attachment policy.
  • Programmable rules per listener, sender or recipient.
Read message rewriting
BEFORE From: [email protected] To: [email protected] Subject: Quarterly invoice Headers: (no disclaimer) 📎 invoice.exe application/x-msdownload · 1.2 MB filter AFTER From: [email protected] To: [email protected] Subject: Quarterly invoice Headers: + X-Disclaimer 📎 invoice.exe stripped (executable) Envelope rewriting
Web admin

Queue, reports and live tracing in a browser.

An SMTP operator should not need a terminal to do day-to-day work. The web admin covers queue management for messages and outbound DMARC and TLS reports, visualisation of received DMARC, TLS-RPT and ARF reports, log search and live tracing of an in-flight transaction.

  • Queue management for messages and outbound reports.
  • Received DMARC, TLS-RPT and ARF (failure) report visualisation.
  • Live tracing and message delivery history.
  • Log viewer with search and filtering.
Stalwart live tracing
High availability

Seamless failover with distributed queues.

With its distributed message-queue design, Stalwart's MTA is built for high availability. Unlike traditional MTAs that rely on local storage for queues, Stalwart shares the queue across the cluster, so any node can take over message delivery if another one fails and no message is stranded on a downed host. Adding outbound nodes increases delivery throughput without changing the rest of the topology.

  • Distributed, fault-tolerant SMTP queue.
  • Any node delivers any message; no per-node spool.
  • Node autodiscovery for streamlined network expansion.
  • Network partition-tolerant failure detection.
  • Dedicated outbound nodes for high-volume delivery tiers.
Stalwart cluster (any node serves any protocol) Clients JMAP IMAP SMTP Node 1 all protocols Node 2 all protocols Node N all protocols Coordination P2P Kafka Redis Storage Data store FoundationDB Blob store S3 / Azure Search store Elasticsearch In-memory store Redis / Valkey