Stalwart, a free and open-source self-hosted mail and collaboration server written in Rust, which supports JMAP, IMAP4, POP3, SMTP, spam and security controls, DKIM, DMARC, SPF, and more, has released version 0.16.
The WebUI has been completely rebuilt and now supports authentication via external OIDC providers, including Keycloak, Authentik, Authelia, Zitadel, and other standards-compliant platforms.
Another major change is the removal of the REST management API. Configuration and management now use JMAP objects through the existing /jmap endpoint for email, calendars, contacts, and files.
The release also introduces stalwart-cli, which uses the same JMAP management API as the WebUI. It enables server administration, application of declarative configuration plans, and reconciliation of live server state with the desired setup.
Regarding DNS automation, while previous versions only managed TXT records for ACME DNS-01 validation, Stalwart 0.16 now supports management of MX, TXT, CNAME, SRV, CAA, and TLSA records. This includes SPF, DKIM, DMARC, autoconfig, autodiscover, certificate authorization, and DANE TLSA records. Supported DNS providers include Route53, Google Cloud DNS, Bunny, Porkbun, DNSimple, Spaceship, and RFC 2136 dynamic updates signed with SIG(0) for self-hosted authoritative DNS.
Moreover, Stalwart 0.16 adds automated DKIM key rotation. The server can generate DKIM keys, rotate them on a schedule, and publish matching DNS records through the new DNS management layer. DKIM keys are now stored in the database with other configuration data, eliminating the need for manual coordination in clustered deployments.
For end users, the release introduces masked emails, which are disposable per-service addresses that forward to a user’s main inbox. These addresses can be disabled individually if compromised or if they receive unwanted mail. This feature is available in the Enterprise edition.
Security enhancements include password-strength checks with zxcvbn, password-expiration and rotation policies, and the ability to restrict user accounts to specific IP ranges. App passwords and API keys can now be scoped to specific permissions, labeled, assigned expiration dates, and limited by IP address.
Additional updates include support for the Automatic Configuration of Email, Calendar, and Contact Server Settings draft, MS Autodiscover V2, domain aliases, alias descriptions, disabled aliases, Sieve script deactivation, automatic node ID generation, unified cluster management, and a new outbound MTA role for dedicated queue nodes.
Plus, the ACME layer now supports the DNS-PERSIST-01 challenge, on-demand certificate renewal, and a certificate detail view.
For more details, see the announcement.
Finally, due to the management-layer redesign and removal of legacy features, Stalwart 0.16 is not just a routine maintenance update. In light of this, devs warn of multiple breaking changes and strongly recommend reviewing the upgrade documentation before updating production deployments.
