You look spammy if you don't have SPF or DKIM, and hopefully both. [...]
I don't want to worry about spam, SPF, DNS or the lot. That is what the ISP is there for. Most of them actually do a pretty good job for very little money in my experience. If not, you can always switch to another ISP.
Regarding geofencing, look back at my post. [...]
Geofencing is way too complicated. You would need a real e-mail consultant for that. 8-)
It is far easier to install OpenVPN, in order to avoid exposing anything else internal on the Internet. Then it is like the user is inside the LAN. There is nothing else to adjust in the mail server or anywhere else.
The reason I run my own email server is I got hacked when using a hosting service. [...]
I can understand that you got hacked. A nasty experience. But, if you think about it, your ISP got hacked, not you. If you open ports, your server may get hacked. And then the hacker is inside your network.
Hack attacks like yours is probably the reason why the European Union is forcing nowadays a kind of two-factor authentication for banks, PayPal etc.
The hacker did not change the e-mail password so that you do not realise immediately that you got hacked, and maybe immediately cancel your credit cards etc.
There is no way most part-time admins like me can provide better security than an ISP. Even paying for a more professional service is probably not worth it. It's an economic weighing exercise: how many get hacked, and what protection costs. I would start by securing PayPal etc. better, by using two-factor authentication like SMS or a separate mobile App to approve payments.
One thing you will learn about email servers is there are many programs to chain together. [...]
That is why I wanted the ISP to take over spam and virus detection. Most do a reasonable job, better than I could ever do anyway.
Best regards, rdiez