Short notes on things I just figured out.
Can't self-host inbound mail at home on Bell. Use a VPS as a relay or AWS SES inbound. Lightsail allows port 25 out of the box.
Private key signs the email, public key lives in DNS. Receivers verify the signature — can't be spoofed without the private key.