Email provider migration playbook: moving between ESPs or mailbox platforms while preserving authentication and reputation

Moving email from one provider to another is rarely just an account migration. The visible mailbox may stay the same, but the mail path, signing system, bounce domain, sending IPs, feedback loops, tracking links, and reputation history often change underneath it.

That is why teams get surprised by cutovers that look technically complete but suddenly produce dmarc=fail, Gmail throttling, Microsoft junk-folder placement, or complaint spikes. SPF authenticates the SMTP path. DKIM authenticates the signer. DMARC only passes when the visible From: domain aligns with one of those passing identifiers. Reputation is separate again: mailbox providers also care whether the new platform behaves like a trustworthy sender.

The standards and provider guidance are consistent on this point. SPF authorizes the MAIL FROM or HELO path in RFC 7208. DKIM verifies the signing domain and published selector keys in RFC 6376. DMARC compares the visible From: domain to the authenticated identifiers in RFC 7489. Google's current Email sender guidelines also still require authenticated mail, valid forward and reverse DNS, TLS, and DMARC alignment for bulk sending.

The short version

If the migration team only needs the safe order first, use this sequence:

1. inventory every sending domain, bounce domain, DKIM selector, IP, and traffic type on the old platform
2. make the new provider send test mail with aligned DKIM before moving production traffic
3. add the new platform to SPF before the cutover, while keeping the old one authorized during overlap
4. keep the visible From: identity stable unless there is a strong reason to change it
5. move the least risky traffic slice first, not the full program
6. preserve unsubscribe, feedback-loop, tracking, and complaint-handling controls before the ramp
7. warm volume gradually if the migration also changes IPs, pools, or mailbox-provider trust signals
8. remove the old provider from SPF and retire old selectors only after the old path is truly idle

The key idea is overlap. The safest provider migration is not a hard switch. It is a staged period where both the old and new paths can still authenticate legitimate mail.

What actually changes during an ESP or mailbox-platform migration

Provider migrations come in a few different shapes, but the underlying risks are similar:

• moving from one ESP to another for marketing mail
• moving transactional mail to a new API provider
• moving user mailboxes between suites such as Google Workspace and Microsoft 365
• moving from a self-hosted relay to a cloud mail platform
• splitting mail streams that previously shared one platform

What changes may include:

• the SMTP egress IPs
• the SPF include or direct ip4 / ip6 authorizations
• the bounce or return-path domain
• the DKIM selector and key-hosting model
• the d= signing domain used by the provider
• TLS behavior and EHLO identity
• click-tracking or open-tracking domains
• complaint and unsubscribe plumbing
• suppression lists, recipient engagement history, and domain or IP reputation context

Treating this as just a mailbox or vendor migration is how authentication and deliverability regressions slip through.

Why these moves break SPF, DKIM, and DMARC

SPF fails when the SMTP path changes

SPF validates the domain used in the SMTP MAIL FROM identity, not the visible From: header. If the new platform sends from new IPs or uses a different bounce domain, the receiver evaluates that new path.

That means a migration can fail even when the end user still sees the same sender address. If the new platform was not added to SPF in advance, or if the provider uses a different bounce domain than expected, receivers can return spf=fail or produce a non-aligned SPF pass that is useless for DMARC.

If the distinction between visible sender and envelope sender needs a refresher, Return-Path vs From: practical implications is the right background reading.

DKIM fails when the signer changes

DKIM is usually what lets a provider migration survive path changes, but only if the new provider signs correctly from the first real test message.

Common migration failures are:

• the new platform is not signing at all
• it signs with the provider's domain instead of an aligned customer domain
• the selector exists in the vendor UI but its DNS record is not live yet
• the wrong selector is active after a staged rollout
• message modification after signing breaks verification for some templates

RFC 6376 is explicit that selectors exist so domains can run multiple keys concurrently during transition periods. That is exactly the pattern you want during a provider migration.

DMARC fails when alignment disappears

DMARC does not pass because both SPF and DKIM merely exist. It passes only when the visible From: domain aligns with a passing SPF domain or a passing DKIM d= domain.

Typical migration outcome when the design was too loose:

• SPF passes for a provider-owned bounce domain that is not aligned
• DKIM passes for the provider's domain, not yours
• DMARC fails for the domain the recipient actually sees in From:

That is why the safest migrations keep the visible author domain stable while making the new platform authenticate that same identity correctly.

Reputation risks that are separate from authentication

Passing SPF, DKIM, and DMARC is necessary, but it is not the whole migration.

Google's sender guidance also emphasizes spam rate, PTR consistency, TLS, gradual volume increases, and one-click unsubscribe for qualifying mail streams. A provider migration can keep authentication perfect and still lose inbox placement if the new path introduces:

• cold or different sending IPs
• a different shared pool with weaker reputation
• sudden volume spikes
• complaint handling gaps
• changed content wrapping, tracking, or unsubscribe behavior
• poor recipient targeting because engagement or suppression state did not move cleanly

That is why deliverability should be treated as an identity problem and a reputation problem at the same time.

Pre-migration inventory

Before changing DNS or sending production mail from the new platform, document what the current platform is doing in the real world.

Collect at least:

• each visible From: domain by mail stream
• each envelope sender or bounce domain
• each active DKIM signer d= and selector s=
• each public sending IP for IPv4 and IPv6
• the PTR hostname and forward-confirmation record for each sending IP
• whether click tracking, open tracking, or footer injection happens before or after signing
• whether unsubscribe headers and one-click unsubscribe are present where required
• whether feedback loops, complaint mailboxes, and suppression lists are platform-owned
• whether mailbox providers currently see separate traffic for transactional and marketing streams

If the sending estate is unclear, Building a sender inventory with DMARC reports is often the fastest way to identify who is still using the domain.

The migration plan that fails least often

1. Freeze identity changes that are not required

Do not change all of these at once unless there is no alternative:

• From: domains
• bounce domains
• DKIM selectors
• IP pools
• template structure
• tracking domains
• unsubscribe handling

The cleanest provider migration changes the platform first and keeps as much sender identity as possible stable.

2. Publish SPF for the new provider before traffic moves

During the overlap, the old and new providers usually both need to be authorized.

Example transition pattern:

v=spf1 include:_spf.old-esp.example.net include:_spf.new-esp.example.net -all

The exact syntax varies, but the operational point is fixed: the receiver has to be able to authenticate either legitimate path during the transition window.

RFC 7208 also warns that when SPF records change, the old policy should remain valid long enough for legitimate in-flight mail to be checked against the policy that existed when it was sent. So do not remove the old provider the moment the first new-platform test succeeds.

3. Publish DKIM for the new signer in advance

If the new provider hosts DKIM through CNAME delegation, publish and verify those records before any production ramp. If it expects TXT-based keys, publish those first and validate lookups from outside the provider dashboard.

Safer patterns are:

• use a new selector for the new platform
• keep the aligned signing domain the same if architecture allows it
• leave the old selector published through the full overlap window

Less safe patterns are:

• reusing an existing selector with a new key
• changing selector, signing domain, and message processing at the same time
• assuming provider UI status means public DNS is correct everywhere

For the selector side specifically, DKIM selectors and key rotation playbook covers the transition rules in more detail.

4. Confirm the new platform can pass DMARC by design

For each mail stream, answer these questions directly:

1. if SPF passes on the new path, which domain will pass?
2. does that domain align with the visible From: domain under the current aspf mode?
3. if DKIM passes on the new path, what d= domain will verify?
4. does that domain align with the visible From: domain under the current adkim mode?

Do not accept "the vendor supports SPF and DKIM" as proof that DMARC will pass. Alignment is the real test.

5. Preserve network identity on the new path

Google's guidance still expects valid forward and reverse DNS for sending domains or IPs. Before ramping traffic on any new IPs, verify:

• the public IP has a PTR record
• the PTR hostname resolves back to the same IP
• the new platform presents a sane EHLO or HELO identity
• outbound SMTP uses TLS as expected

If the provider migration also changes egress IPs, Gmail PTR / reverse DNS failures is the exact failure mode to keep in mind.

6. Move platform-specific controls before volume

This is where migrations often look done on paper but fail in production.

Before large-scale send, verify the new provider has:

• the correct suppression list state
• complaint and bounce handling wired correctly
• one-click unsubscribe headers for subscribed or marketing traffic where required
• the right tracking domains or branded links if those affect reputation or user trust
• any provider-specific feedback identifiers needed for complaint correlation
• seed-list, monitoring, and alerting coverage on the new path

Losing these controls does not always create immediate hard bounces. It often creates a slow reputation drop a few days later.

How to cut over without losing reputation

Start with the best recipients, not the full list

If the move changes IPs, pools, or mailbox-provider trust history, ramp to the most engaged segment first. Google's own guidance recommends increasing sending volume slowly and monitoring spam rate, delivery, and reputation signals as you go.

Good first traffic for the new provider is usually:

• low-volume transactional mail with strong user expectation
• internal or controlled recipient seed traffic
• highly engaged recent subscribers
• one stream whose headers and templates are easy to inspect closely

Bad first traffic is usually:

• old marketing lists
• mixed transactional and promotional content
• burst campaigns that jump straight to peak volume
• every stream at once

Keep the old platform alive during overlap

The overlap window is not waste. It is risk control.

Keep the old provider available while you watch:

• SMTP deferrals and rejects
• Authentication-Results on received test mail
• complaint rate and unsubscribe behavior
• DMARC aggregate reports
• Gmail Postmaster Tools signals if available
• Microsoft deliverability or reputation signals if available

If the new path degrades, the overlap gives you somewhere safe to reduce traffic without turning the project into a full outage.

Separate warm-up from authentication validation

These are related, but they are not the same task.

You can have:

• perfect SPF, DKIM, and DMARC with poor inbox placement because the new IP or pool is cold
• good sender reputation with broken DMARC because the new signer is misaligned

Track both dimensions explicitly. DMARC and sender domain warm-up and Shared IP vs dedicated IP for authenticated senders are the two supporting topics most relevant here.

Test messages you should inspect before each ramp step

For every representative template, confirm the receiving side shows the results you expected.

Example of a healthy result:

Authentication-Results: mx.example.net;
  spf=pass smtp.mailfrom=bounces.example.com;
  dkim=pass header.d=example.com header.s=esp202606;
  dmarc=pass header.from=example.com

Red flags include:

• spf=pass for a provider-owned domain that does not align
• dkim=pass for the wrong d= domain
• dkim=fail only on templates with tracking or footer injection
• dmarc=pass on one mailbox provider but not another because different identifiers are being relied on
• unsubscribe headers missing on the new path

If mailbox-provider results differ, Why DMARC passes at one provider and fails at another is the right troubleshooting model.

Failure patterns that show up after migration day

SPF passes but DMARC fails

The new provider is authorized, but the SPF-authenticated domain is not aligned with the visible From: domain.

DKIM verifies but DMARC fails

The new provider signs mail, but the d= domain is not the one DMARC needs for alignment.

DKIM fails only for some campaigns or templates

The new platform is modifying the message after signing, or the new tracking and footer behavior differs from the old path.

Inbox placement drops even though authentication passes

The new provider changed reputation inputs such as IP history, complaint handling, engagement quality, or send cadence.

Complaint handling breaks quietly

The migration missed provider-specific feedback loop, suppression, or unsubscribe plumbing. This often shows up as a reputation problem, not as an SMTP error.

The old provider is removed too early

Delayed queues, low-frequency automations, or forgotten integrations keep emitting mail from the old path after SPF and DKIM cleanup. The result is intermittent failure that looks random until inventory catches up.

A practical migration checklist

Use this as the go-live checklist.

1. inventory every active sender for the domain
2. document visible From:, bounce domain, DKIM d=, selector, and sending IPs for each stream
3. publish SPF authorization for the new provider before cutover
4. publish and verify DKIM records for the new provider before cutover
5. confirm the new provider can produce aligned DMARC passes on test mail
6. verify PTR, forward DNS, EHLO, and TLS on any new sending IPs
7. migrate unsubscribe, complaint, bounce, and suppression handling before scale
8. seed-test all representative templates and inspect Authentication-Results
9. start with a low-risk, engaged traffic slice
10. ramp gradually while watching spam, deferrals, and DMARC reports
11. keep the old provider authorized during the overlap window
12. remove old SPF includes only after no legitimate mail still uses the old path
13. retire old selectors only after old signed mail is no longer likely to be in transit

Bottom line

The safe way to move between ESPs or mailbox platforms is not to think of the project as a vendor swap. It is an identity-and-reputation migration where two sending paths need to coexist long enough for receivers to authenticate either one and for the new one to earn trust.

If the new provider is already authorized in SPF, already signing with an aligned DKIM domain, already preserving the visible sender identity, and already ramping volume in a controlled way before the old provider is removed, the migration is mostly an operational rollout. If those pieces are left for after cutover, the migration becomes a deliverability incident with a procurement backstory.