Prepare A KumoMTA Host
Use a dedicated host or VM for KumoMTA when you expect production outbound volume.
Host checklist
- Static public IP.
- Correct hostname, such as
mta.yourdomain.com. - Outbound SMTP allowed by the provider.
- Enough disk for spool and logs.
- Time sync enabled.
- Firewall configured.
- TLS certificate available for HTTPS injection.
- Monitoring for CPU, memory, disk, queue age, and service health.
Use a dedicated host or VM class that can absorb queue spikes. Mail queues are disk-backed operational state; do not run production volume on a host without enough disk space, monitoring, and backup/restore expectations.
DNS checklist
Create:
A mta 203.0.113.20
PTR 203.0.113.20 -> mta.yourdomain.comIf KumoMTA signs mail for yourdomain.com, also confirm SPF and DKIM authorize the actual outbound IP or proxy path.
Service checklist
Your KumoMTA setup should provide:
- An HTTPS injection endpoint.
- A metrics endpoint restricted to trusted clients.
- DKIM signing for sender domains.
- Queue logging.
- Webhook publishing to PING8.
- A default pool/source configuration.
Security checklist
- Put the injection endpoint behind HTTPS.
- Require authentication for injection.
- Restrict metrics to trusted networks or credentials.
- Store DKIM private keys with strict file permissions.
- Keep webhook signing secrets separate from injection secrets.
- Rotate secrets using a planned change window.
Test before connecting PING8
Before enabling PING8 traffic:
- Confirm KumoMTA service starts cleanly.
- Confirm metrics are reachable from the PING8 host.
- Confirm injection is authenticated.
- Confirm DKIM signing works.
- Confirm logs show test attempts.
PING8 readiness checks
Do not connect production traffic until:
- The sender domain verifies in PING8.
- The KumoMTA base URL and metrics URL are reachable from the PING8 host.
- The default pool name in PING8 exists in the KumoMTA policy.
- A webhook event can reach the PING8 event endpoint.