23 years from Stockholm
Operator notes · From the Stockholm desk

SMTP relay migration planning for growing teams

A technical editorial guide for teams evaluating infrastructure, delivery trade-offs and the operational boundary around this category.

Migrating an SMTP relay rarely shows up on a roadmap by itself. It happens because the current provider's pricing is untenable, because the old relay is bottlenecking delivery, because compliance demands it, or because what was acceptable a year ago is no longer working as the business has grown. Under any of those pressures, the migration itself tends to get scoped on the back of an envelope and executed in a weekend — which is exactly how avoidable outages happen. This article is the playbook for treating relay migration as the production-critical change it actually is, written for teams that want their email to keep flowing through and past the move without anyone outside the ops channel noticing.

Key takeaways

  • A relay migration touches every application that sends email, every domain that authenticates through the relay, and every recipient whose reputation scoring depends on IP continuity. Scope accordingly.
  • TTL strategy is the single lever that controls how fast you can safely flip traffic between the old and new relay. Set it right forty-eight hours early; everything else is downstream of that.
  • Parallel operation — running old and new relays simultaneously — is the pattern that makes zero-downtime migrations real. One-big-switch migrations should be the exception, not the default.
  • Authentication parity is where migrations usually silently fail. If the new relay's SPF is wrong or DKIM is signing with an unpublished key, deliverability degrades invisibly for days before anyone notices.
  • Post-migration monitoring matters as much as the cutover itself. The two weeks after the flip are when reputation drift or broken integrations reveal themselves; the team that is still watching catches them; the team that moved on does not.

What a relay migration actually involves

On the surface, migrating an SMTP relay looks simple: update some credentials in your applications, change an MX or submission hostname, and you are done. In practice, the change affects three layers simultaneously, each with its own failure modes.

The first layer is configuration. Every application that submits mail to the old relay has to learn about the new one. For a small team this might mean updating a single environment variable; for a growing team it usually means tracking down eight or twelve applications that nobody owns anymore, some with credentials hard-coded into configuration files dating back three years.

The second layer is network identity. The new relay sends from different IPs, often from different network ranges, often with different PTR records and HELO hostnames. Inbox providers will see a fundamentally different sender when the mail starts flowing through the new path. Your SPF records, your DKIM keys, and your DMARC alignment all have to account for that shift before any mail moves.

The third layer is reputation. The old relay's IPs had a reputation history that took months to build. The new relay's IPs either inherit something from previous use or start from zero. Either way, the inbox providers you send to will treat the new path as an unknown entity for some period of time, and that treatment is where avoidable deliverability damage happens if the migration is done carelessly. The underlying mechanics of how inbox providers track and score senders are covered in sender reputation fundamentals.

The right reasons to migrate, and the wrong ones

Before committing to the operational cost of a migration, the team should be explicit about what is driving it. The right reasons produce better outcomes; the wrong ones produce migrations that fail to solve the underlying problem because the problem was not actually relay-related.

Reasons teams consider relay migration, and how to evaluate them
TriggerIs a migration the right fix?What to check first
Delivery has degraded noticeablySometimes — depends on the causeIs the problem the relay, or list quality, or content, or authentication? Usually list quality first.
The current relay provider raised pricesOften yes — cost is a legitimate driverTotal cost including operational overhead of switching; 12-month TCO comparison
The current relay is hitting throughput limitsYes — capacity is a hard constraintWhether current provider has a higher tier before committing to a full migration
The current relay lacks a capability (BIMI, per-ISP tuning, dedicated IPs)Yes, if the capability is actually neededWhether the capability is on the current provider's roadmap
Compliance or contractual requirements mandate a changeYes — no discretionDocument the requirement so scope stays clean
The engineering team is unhappy with the current vendor's APISometimes — but secondaryWhether the dissatisfaction comes from capability gap or from not reading the docs
A new vendor offered a great discountUsually not — this is the weakest reasonWhether the current provider's problems justify the risk of moving
The team feels the current relay is "too simple"Almost never — status-seeking migrations fail oftenWhether there is a concrete capability gap or just a preference for more complex tooling

The pattern that catches teams: they are unhappy with deliverability, they blame the relay, they migrate, and the deliverability problem follows them to the new provider because the actual cause was list hygiene or content-driven complaints. Migration fixes infrastructure problems; it does not fix program problems. Identifying which category the actual issue falls into is the first job, and it should happen before migration planning begins.

Taking inventory before anything moves

The single most overlooked step in a relay migration is the pre-migration inventory. Teams assume they know what sends through the current relay; teams are reliably wrong about this. The inventory discovers services nobody has touched in three years, hardcoded credentials in forgotten repositories, and integrations that were set up by people who have since left. Finding these during planning is cheap; finding them during cutover is expensive.

The inventory that actually catches things

  1. Query the current relay's logs for a full month. Extract unique authentication credentials, source IPs, sending domains, and sample From addresses. Every credential is a sender; every sender is a thing that needs to know about the new relay.
  2. Map each credential to an owning application or team. Some will be obvious. Some will require detective work. Any credential that cannot be traced to a known sender is either an abandoned service or a compromised credential — both need investigation, not migration.
  3. Catalog every sending domain and its current DNS records. SPF includes, DKIM selectors, DMARC policies, MX records for reply handling. Each is a thing that has to be checked and possibly updated as part of the migration.
  4. Measure current volumes per application. Peak daily, typical daily, burst patterns. This informs how you warm up the new relay's IPs and how much dual-running capacity you need.
  5. Document every authentication method in use. SMTP AUTH with username/password, IP-based allowlisting, mTLS, API keys for vendor-specific variants. Each method has to be supported by the new relay or explicitly migrated to a different method.
  6. Identify legacy and third-party senders that depend on the relay. Scanners, ERP systems, billing platforms, monitoring tools, vendor integrations. These are the ones that nobody wants to touch, and they are the ones most likely to break during cutover.
The credentials audit almost always surfaces surprises In every migration we have seen, the credential audit reveals at least one credential that nobody recognizes, at least one service sending unexpectedly high volumes, and at least one integration from a vendor relationship that ended six months ago. Deal with these findings before the migration starts; dragging them into the new relay is how problems get carried forward.

The five-phase plan that avoids surprises

A relay migration runs cleanly when it follows a predictable phase structure with explicit exit criteria at each phase. Phases that bleed into each other produce the kind of confusion where nobody is sure whether something has been done or not.

The five phases of a zero-downtime relay migration
PhaseDurationWhat happensExit criteria
1. Planning and inventory1-2 weeksFull inventory; test account on new relay; documented scopeAll senders catalogued; new relay test account verified; go/no-go signed off
2. New relay provisioning1-2 weeksIPs assigned, authentication keys generated, SPF includes identified, new DNS records pre-publishedNew DNS records live (but not yet active for mail); test sends from new relay verified
3. IP warmup (if dedicated)4-6 weeksGradually send real traffic through new relay, ramping by volume and recipient engagement — see designing an IP warmup scheduleNew IPs have established reputation; placement metrics match baseline
4. Parallel operation and cutover1-2 weeksOld and new relays both active; traffic progressively shifted; final MX cutover>95% of traffic on new relay with acceptable delivery metrics
5. Decommissioning and verification2-4 weeksOld relay capacity reduced; straggler traffic monitored; final sunset when cleanOld relay sees no traffic for 7+ days; confirmed archived; billing stopped

The total runway for a properly executed migration is thus eight to sixteen weeks. Teams that compress this to two weeks usually make it work, but they trade deliverability risk for calendar speed. Teams that try to do it in a weekend produce exactly the kind of migration that generates support tickets for months afterward.

Who owns each phase

Phase ownership matters because migrations touch multiple teams and the handoff points are where things slip. The operations team typically owns Phases 2, 4, and 5. Application teams own their own updates in Phase 4. Deliverability owns Phase 3 (and participates in Phase 4). Security should review Phases 1 and 2 for credential handling. Product and support should know Phase 4 is happening so they can connect dashboard dips to a known cause rather than investigating as an incident.

TTL strategy: the timing layer that controls everything

DNS caches everywhere between your authoritative servers and the recipients that deliver to your domains. The TTL value on each record determines how long those caches are valid, and consequently how long a DNS change takes to propagate globally. For a migration, TTL strategy is the lever that lets you move traffic quickly when everything goes right and recover quickly if something goes wrong.

A staged TTL reduction for MX and related records
TimingTTL to setWhy this step exists
7 days before cutover3600 seconds (1 hour)If your current TTL is 86400, drop to 3600 early enough that the old TTL fully expires globally
48 hours before cutover300 seconds (5 minutes)Minimum practical TTL for cutover day; wait one full hour after this to ensure propagation
Cutover day300 secondsChanges to MX records now propagate in ~5 minutes worldwide
72 hours post-cutover3600 secondsReturn to production TTL; reduces DNS lookup overhead and improves cache effectiveness
Week 2 post-cutover86400 seconds (24 hours)Back to long-horizon TTL once everything is stable

The common mistake: lowering TTL on cutover day itself. Resolvers that had already cached the old TTL value will respect that TTL before they even learn about the new lower value. A TTL change ten minutes before a DNS cutover gives you none of the control you thought you had. The change has to be in place for at least the old TTL duration before you get fast propagation on subsequent changes.

dig verification# Before lowering TTL — verify current value
dig +noall +answer MX example.com
# example.com. 3600 IN MX 10 relay-old.example.com.

# After lowering TTL to 300 — confirm authoritative returns 300
dig +noall +answer @ns1.yourdns.com MX example.com
# example.com. 300 IN MX 10 relay-old.example.com.

# Check multiple resolvers to confirm propagation
for ns in 8.8.8.8 1.1.1.1 9.9.9.9 208.67.222.222; do
  echo "=== $ns ==="
  dig +noall +answer @$ns MX example.com
done
Negative caching matters too If you have an NXDOMAIN result cached anywhere (from an accidentally-deleted record, say), the negative result persists per RFC 2308 for the SOA minimum TTL. This is the value in the SOA record, and it usually defaults to something like 3600 or higher. If you are migrating, consider lowering the SOA negative-caching TTL early too; otherwise, temporary gaps in your zone during cutover can cache globally for an hour or more.

Running old and new in parallel

The cleanest relay migrations run both the old and new relays simultaneously during the cutover window. This eliminates the big-bang failure mode where everything flips at once and nobody knows which piece broke. Parallel operation lets you move traffic progressively and observe each step.

Three patterns for parallel operation

How to route traffic during the parallel phase
PatternHow it worksWhen it fits
Credential-based splitSome applications use new relay credentials; others still use oldWhen different applications can be migrated on different schedules
Percentage split via DNSMX records point to both relays with different preferences; weighted rollout via toolsWhen you want a gradual percentage shift with ability to adjust
Workload-based splitTransactional goes through new relay first; marketing stays on old; reversed laterWhen workloads have different risk profiles for a migration-related disruption

The credential-based split is usually the easiest to reason about and the safest to roll back. Each application's cutover is a single deployment of new SMTP credentials; if something goes wrong with a specific application, you revert that one application without affecting others. This is the pattern that almost always works for relay migrations of any complexity.

The progressive migration sequence

  1. Week 1: lowest-stakes internal senders. Cron jobs, internal reports, monitoring alerts. If anything breaks, you have time to fix without customer impact.
  2. Week 2: high-volume but forgiving workloads. Marketing sends go through the new relay. Volume builds new relay reputation; failures are recoverable.
  3. Week 3: transactional mail. Password resets, receipts, notifications. Moved after the new relay has proven itself on lower-stakes traffic.
  4. Week 4: legacy and third-party integrations. ERP, billing systems, scanners. These are the hardest to move and benefit most from a thoroughly validated new relay by this point.

Authentication parity: SPF, DKIM, DMARC on the new relay

Authentication is where migrations silently fail. The mail keeps flowing, the logs show 250-OK on outbound, and deliverability slowly degrades because SPF doesn't include the new relay's IPs, or DKIM is signing with a selector that isn't published, or DMARC alignment is breaking in a way the team doesn't notice until someone reports that Gmail is sending everything to spam.

The parity checklist for every sending domain

DNS parity per sending domain# --- Before migration: current SPF (old relay only) ---
example.com.  IN  TXT  "v=spf1 include:spf.oldrelay.com ~all"

# --- During parallel phase: SPF authorizes BOTH relays ---
example.com.  IN  TXT  "v=spf1 include:spf.oldrelay.com include:spf.newrelay.com ~all"

# --- Post-migration: SPF authorizes NEW relay only ---
example.com.  IN  TXT  "v=spf1 include:spf.newrelay.com ~all"

# --- DKIM: new selector published BEFORE new relay starts signing ---
ahk2022._domainkey.example.com.  IN  CNAME  ahk2022.dkim.newrelay.com.

# --- DMARC: tighten only AFTER parity is verified ---
_dmarc.example.com.  IN  TXT  "v=DMARC1; p=none; rua=mailto:dmarc@example.com"
# Observation mode during migration
# Tighten to p=quarantine only after 14+ days of clean aggregate reports

The four authentication questions to answer for every domain

Does the new SPF include cover the new relay?
Not just the relay's public IPs but its provider's SPF include mechanism. Most major relays publish an SPF include that updates automatically when their infrastructure changes — use that, not hardcoded IPs.
Is the new DKIM selector published and signing correctly?
Publish the selector record in DNS before the new relay starts signing. Verify with a test send that the DKIM signature validates; a signed-but-unpublished message fails verification and hurts deliverability.
Does the DMARC alignment still work?
DMARC requires SPF or DKIM alignment between the From domain and the authenticated domain. A new relay sending as noreply@example.com still needs its SPF pass or DKIM signature to be on the example.com domain, not the relay's domain.
Have you left DMARC at p=none during the transition?
DMARC enforcement policy should be at p=none during migration. Aggregate reports during the parallel phase show whether alignment is working; only tighten to p=quarantine after multiple clean reporting days.

The operational cost of getting authentication parity wrong is significant: degraded inbox placement that takes weeks to recover, spam folder placement for some recipients, DMARC failures showing up in aggregate reports that should have been clean. The cost of getting it right is a couple of hours per domain of careful DNS editing and a verification pass with a test send. The tradeoff is strictly in favor of taking the time. For the deeper treatment of how to keep authentication coordinated across multiple domains — which is exactly what a migration across an organization's sending surface requires — see authentication alignment and policy review for multi-domain senders.

Cutover day: the choreography

Even with weeks of careful preparation, cutover day has its own rhythm. A run-book that handles the sequence and the verification steps is the difference between a smooth flip and a scramble. Below is the choreography that works.

  1. T minus 2 hours: team assembly. Ops team, deliverability, at least one representative from each application team with a stake. On a call or in a chat room that stays open for the full window.
  2. T minus 1 hour: final verification. New relay is receiving test sends successfully. Authentication is green on the new relay per all test domains. Current traffic through the old relay is nominal.
  3. T minus 30 minutes: traffic freeze on non-critical senders. Pause scheduled campaigns, batch jobs, anything that can be delayed briefly. This reduces the cutover blast radius.
  4. T=0: primary DNS change. Update MX and relay-pointing records to new relay. With 300-second TTL, global propagation takes 5-15 minutes.
  5. T+5 min: verification wave. Test sends from multiple external senders to domains you control. Confirm mail routes through new relay. Check authentication headers.
  6. T+15 min: application cutover. Applications that hold credentials for the old relay switch to new relay credentials. Staged deploys by application team.
  7. T+30 min: resume scheduled traffic. Campaigns, batch jobs, monitoring alerts resume their normal schedule through the new relay.
  8. T+1 hour: first health check. Delivery rate, bounce rate, deferral rate, authentication pass rate, old relay traffic volume. Any of these off-baseline triggers investigation.
  9. T+4 hours: secondary health check. Same metrics; also check Google Postmaster Tools and Microsoft SNDS for early signals.
  10. T+24 hours: first real assessment. The daily-cadence metrics have had time to move. If everything is green, the cutover is considered successful and the team can stand down from active monitoring.

Verification that goes beyond "seems fine"

The single most common post-migration claim is "it seems to be working." The single most common follow-up three weeks later is "actually there was a problem we didn't notice." Thorough verification closes this gap by checking each layer explicitly rather than relying on the absence of complaints.

Verification matrix — what to check after cutover
LayerCheckHow
SubmissionApplications can authenticate against new relayTest send from each application; verify 250 responses in application logs
TransportNew relay is actually delivering, not just acceptingSend to seed list; verify delivery on the recipient side
DNS propagationMX records point to new relay everywheredig against 4-6 geographically distributed resolvers
SPF alignmentSPF passes for mail from new relayInspect received message headers: Authentication-Results: spf=pass
DKIM signingDKIM signature validates with published selectorInspect message headers: dkim=pass for each signing domain
DMARC alignmentDMARC passes for each sending domaindmarc=pass in headers; first aggregate report after cutover confirms
TLSTLS negotiated on outbound connectionsCheck received headers; confirm no downgrade to unencrypted — see TLS for SMTP
Reply routingReplies still reach the right inboxesSend a reply from external test; verify it arrives where it should
ReputationNew relay IPs haven't started poorly at providersGPT and SNDS dashboards; blocklist checks against Spamhaus family
Application behaviorApplications don't have latent assumptions about relay behaviorError log review; watch for timeouts, connection refused, TLS errors

Rollback: planning for the worst responsibly

Every good migration plan includes a rollback plan, and every good team hopes never to use it. The rollback is the safety net that makes risk-taking during the migration acceptable. Having it documented and rehearsed before the cutover — not improvised during an incident — is what separates teams that recover quickly from teams that extend an outage through uncertainty.

The three rollback tiers

  1. Partial rollback: revert a single application. If a specific application is failing after cutover, revert only that application's credentials to the old relay. The rest of the migration continues. Fast and low-impact; this is the right response to ~70% of post-migration issues.
  2. DNS-level rollback: revert MX records. If the broader cutover is producing unacceptable delivery problems, revert MX records to the old relay. With 300-second TTL in place, this propagates in minutes. Requires the old relay to still be operational, which is why Phase 5 decommissioning is the last phase.
  3. Full rollback: all traffic back on old relay. Both DNS and application credentials revert. The migration is paused. Root cause investigation happens while service is stable on the old path; a second cutover attempt is scheduled after findings are addressed.
The mistake that makes rollback impossible Decommissioning the old relay too quickly eliminates the rollback option. The cheapest insurance in a migration is keeping the old relay alive for at least two weeks after cutover. If everything goes well, the cost is two weeks of extra subscription; if something goes wrong, you avoid a multi-hour rebuild of infrastructure you just dismantled. Keep the old relay alive until you are confident the new one is stable under real load.

Post-migration: the two weeks that matter

The cutover is not the end of the migration. The two weeks after are when latent issues surface: reputation drift from the new IPs not quite matching the old ones, integrations that were broken for days before anyone noticed, DMARC aggregate reports showing unexpected sources, deliverability dips at specific providers that didn't show up immediately. The team that stays engaged during this period catches these things; the team that moves on to the next project discovers them later when the cost is higher.

The daily check for the first ten days

Post-cutover reputation curve — what a healthy migration looks like Post-cutover reputation signals — a healthy migration has boring data Green = baseline; yellow = investigate; red = escalate. Two weeks of daily checks. D1 D3 D5 D7 D9 D11 D14 Delivery rate Spam rate Bounce rate Domain reputation Cutover
A healthy migration produces a mostly-flat chart: delivery and spam rate hold steady, bounce rate normalizes within a day or two, and reputation builds quietly over the first week. A spike in any line is the signal to investigate.

If any of these metrics deviate from baseline by more than a small amount, the team investigates before the trend consolidates. A one-day spike in spam rate might be noise; three days of elevated spam rate is a reputation event in progress. The daily cadence catches the difference; the weekly-only cadence does not.

What to decommission, and when

Week 1 post-cutover: nothing. Keep the old relay fully operational; it is your rollback option.

Week 2 post-cutover: if all metrics are stable, stop sending test traffic to the old relay but keep the subscription active. Verify the old relay has seen no production mail for seven consecutive days.

Week 3 post-cutover: contact the old relay vendor and schedule the account closure. Most vendors have a notice period; align the closure date with your current billing cycle.

Week 4 post-cutover: old relay account closed. Archive any accounting logs you need to retain. Remove the old relay's SPF include from all your domains. Update documentation to remove references to the old relay. Final state verified; migration officially complete.

Frequently asked questions

How long should the whole migration take?

Eight to sixteen weeks is the realistic range for a mid-sized deployment. Compressed schedules (four to six weeks) are possible if the team is experienced and the current relay is a pure pain point. Under four weeks is not responsible for production workloads.

Do we need to warm up the new relay's IPs if the current relay also used shared IPs?

If the new relay uses shared IPs with an established reputation, you skip most of the IP warmup. If the new relay assigns you dedicated IPs, you need the full four-to-eight week warmup for those IPs regardless of what the old relay was using.

Should we change our sending domain during the migration?

No. Change one variable at a time. If the migration goes wrong, you want the ability to diagnose whether the issue is with the new relay or with your domain reputation, and changing both at once makes that diagnosis impossible.

What if an application's owner is unavailable during the migration window?

Don't migrate that application. Wait for the owner. A forced migration of an ownerless application is how previously-working integrations break, and the breakage is invisible until someone notices missing mail weeks later.

How do we handle an application that's on a vendor's managed platform and can't be migrated to our new relay?

Two options: either accept that the application will continue using the vendor's email service (and document that fact so it doesn't create confusion during future audits), or negotiate with the vendor to add support for custom SMTP credentials. Most major vendors support this; smaller vendors sometimes do not.

Should we migrate during a freeze period (end of year, major release, etc.)?

No. Change freeze periods exist for a reason. Schedule the migration for a period when the surrounding business environment is stable and the team has bandwidth to respond to issues.

What if we need to migrate urgently (security incident, vendor breach, etc.)?

Emergency migrations do happen. The compressed version of this process: skip the warmup phase (accept some deliverability risk), compress the parallel phase to 48 hours, use heavily shortened TTLs, and plan for a week of active firefighting post-cutover. The normal process is strictly better; the emergency version is what you do when the choice is between imperfect migration and ongoing risk exposure.

Closing perspective

A relay migration is change management more than it is engineering work. The technical steps — updating DNS, rotating credentials, verifying authentication — are individually straightforward. What makes migrations succeed or fail is whether the team treats them as production changes with the discipline that applies to other production changes: inventory, planning, staged rollout, active monitoring, rollback planning, post-mortem review. Teams that apply that discipline have uneventful migrations. Teams that don't have interesting ones, and interesting is the wrong adjective for anything that touches customer-facing email delivery.

The economic case for doing this carefully is worth restating. A weekend migration that goes wrong costs multiple weeks of engineering time to recover from, plus whatever deliverability damage accrues during the recovery window. A planned eight-to-sixteen week migration costs several engineer-weeks across its duration but produces a clean outcome with no lingering issues. The first path looks faster on paper; the second is almost always faster in total.

There is also an organizational angle. Migrations that go well build institutional confidence and documentation that pays off on future changes. Migrations that go poorly produce the opposite: team distrust of the infrastructure, reluctance to change anything else, and patterns of working-around-the-migration-scars that compound over time. The investment in doing the first migration well pays for itself across the next several.

For teams starting their first relay migration, the shortest honest advice is: start the inventory this week, whether or not you've decided to migrate. Knowing what sends through your current relay is useful regardless of whether you change providers. If the inventory reveals something surprising, you have time to address it. If it confirms everything is as expected, you have a clean starting point for the migration plan. The inventory is the one step that never gets wasted, and it is the one step that most teams skip.