Self‑Hosted Email Migration Playbook: Leave Gmail Without Losing Deliverability
Practical playbook to move off Gmail: set up Postfix/Dovecot, publish SPF/DKIM/DMARC, and maintain deliverability after Google's 2025 changes.
Hook: Leave Gmail — keep inboxes working and reputations intact
If you are an admin planning to move users off Gmail after Google's late‑2025 policy changes, your top concern shouldn't be user resistance — it's deliverability. Nothing kills adoption faster than lost email, blacklists, or months of repair work. This playbook gives a practical, step‑by‑step migration path: set up Postfix and Dovecot, lock down DNS and TLS, create robust SPF/DKIM/DMARC, and run the warm‑up and monitoring processes that protect your sending reputation in 2026.
What changed in 2025–2026 and why it matters
Late 2025 and early 2026 brought two trends that directly affect self‑hosted email:
- Google tightened authentication and anti‑abuse heuristics and expanded automated interventions for unauthenticated or low‑reputation senders. Many organizations found previously reliable Gmail delivery degraded.
- Receivers increasingly rely on telemetry and reporting (Gmail Postmaster, MTA‑STS, TLS‑RPT, DMARC aggregate/forensic data) — so you must publish and consume reports to detect problems early.
Put simply: technical correctness plus operational telemetry equals deliverability. This playbook focuses on both.
Quick migration checklist (start here)
- Choose infrastructure: VPS with static IPv4, correct rDNS, and non‑shared IPs for mail sending.
- Provision TLS certificates (Let's Encrypt / acme.sh) and ensure automation.
- Install Postfix (MTA) and Dovecot (IMAP/LMTP) and secure submission ports.
- Generate DKIM keys and publish SPF, DKIM, DMARC DNS records.
- Sync mailboxes with imapsync; keep Gmail accounts intact until cutover.
- Warm up IP and domain; monitor Postmaster Tools, SNDS, and logs.
- Enable MTA‑STS and TLS‑RPT, and subscribe to feedback loops where available.
Step 1 — Choose the right host and IP strategy
Deliverability often starts before your MTA accepts the first message. Use a trustworthy VPS provider with:
- Static IPv4 (and IPv6 if supported).
- Control over reverse DNS (PTR) so you can set rDNS to your mail hostname.
- Clean IP history — avoid previously blacklisted ranges.
- Ability to request dedicated IPs for high‑volume sending.
Residential or consumer connections will be blocked on port 25 and are poor choices. Configure your provider rDNS to match your SMTP HELO/EHLO banner exactly — e.g. mail.example.com.
Why PTR and HELO must match
Many major receivers compare the sending IP's PTR with the EHLO/HELO name and the certificate CN/SAN. A mismatch raises spam flags. Set them consistently:
PTR: 203.0.113.45 -> mail.example.com
EHLO/HELO: mail.example.com
TLS cert CN/SAN: mail.example.com
Step 2 — Install and secure Postfix + Dovecot
This section assumes Debian/Ubuntu; adapt package commands for RHEL/CentOS or Alpine.
Postfix essentials
Install and basic config:
apt update && apt install postfix postfix-pcre opendkim opendkim-tools postfix-policyd-spf-python -y
Minimal main.cf additions (key items):
# main.cf excerpts
myhostname = mail.example.com
mydomain = example.com
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.example.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.example.com/privkey.pem
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_security_level = may
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_recipient_domain, reject_non_fqdn_recipient
# DKIM milter
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
Open submission port and enforce auth:
# master.cf snippet
submission inet n - y - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
Dovecot essentials
Install and configure for SASL and IMAP/LMTP delivery:
apt install dovecot-imapd dovecot-pop3d dovecot-lmtpd -y
Important dovecot.conf fragments:
# auth
auth_mechanisms = plain login
!include auth-system.conf.ext
# listen on localhost and 127.0.0.1 and external interface
listen = *
# SSL
ssl = required
ssl_cert = Step 3 — DKIM: sign outbound mail
Use OpenDKIM. Generate a selector-key and publish the public DKIM TXT record. Example:
mkdir -p /etc/opendkim/keys/example.com
cd /etc/opendkim/keys/example.com
opendkim-genkey -s default -d example.com
chown opendkim:opendkim default.private
# default.txt contains the DNS entry
DNS record (example truncated for readability):
default._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkq..."
OpenDKIM config snippets to wire into Postfix:
/etc/opendkim.conf
Domain example.com
KeyFile /etc/opendkim/keys/example.com/default.private
Selector default
Socket inet:8891@localhost
Canonicalization relaxed/simple
Mode sv
PidFile /var/run/opendkim/opendkim.pid
UserID opendkim
Step 4 — SPF and DMARC: DNS policies
SPF is a first line of defense. Keep it tight and include sending services. Example SPF record for a single MTA:
example.com. IN TXT "v=spf1 ip4:203.0.113.45 -all"
If you still send via Google Workspace, marketing platforms, or other SaaS, include their mechanisms instead of listing raw IPs. Use ~all (soft fail) during testing, then switch to -all after validation.
DMARC
Start with monitor mode and collect reports:
_dmarc.example.com. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc-agg@example.com; ruf=mailto:dmarc-forensic@example.com; pct=100; fo=1"
After successful warm‑up and stable auth signals, escalate policy to quarantine or reject.
Step 5 — MTA‑STS and TLS‑RPT (2026 expectation)
Receivers and senders now expect active TLS policies. Publish an MTA‑STS and TLS‑RPT policy and TLS‑RPT endpoint to surface TLS configuration issues.
# MTA-STS policy (hosted at https://mta-sts.example.com/.well-known/mta-sts.txt)
v=STSv1
mode: enforce
max_age: 604800
mx: mail.example.com
DNS for MTA‑STS policy discovery:
_mta-sts.example.com. IN TXT "v=STSv1; id=20260118"
_tlsrpt.example.com. IN TXT "v=TLSRPTv1; rua=mailto:tlsrpt@example.com"
Step 6 — Mailbox migration strategy
Keep Gmail accounts active until the new service has demonstrated reliable inbox delivery. Use imapsync to mirror mailboxes. Example imapsync command:
imapsync --host1 imap.gmail.com --user1 user@gmail.com --password1 'app_password' \
--host2 mail.example.com --user2 user@example.com --password2 'newpass' \
--ssl1 --ssl2 --allowsizemismatch --syncinternaldates
Tips:
- Create a parallel address alias or forwarder during a staged migration.
- Keep Gmail forwarders active for 30–90 days to catch misconfigured senders.
- Inform users about SMTP credentials and update client settings (IMAP/SMTP, ports 993/587, TLS required).
Step 7 — Warm up sending reputation
Cold IPs and domains require gradual increase. A simple plan:
- Days 1–7: Send low volume (10–50 emails/day) to engaged users only.
- Days 8–30: Gradually increase by 10–20% daily while monitoring bounces and spam reports.
- After 30 days: Reach intended volume if complaint rates <0.1% and bounce rates low.
Keep sending from consistent envelopes and From addresses. Avoid changing DKIM selectors, HELO, or rDNS during warm‑up.
Step 8 — Monitoring, telemetry and feedback loops
Set up these services immediately:
- Gmail Postmaster Tools — verifies domain and shows spam rates, IP reputation, and authentication results.
- Microsoft SNDS and Smart Network Data — for Outlook/Hotmail performance metrics.
- DMARC aggregate reports (RUA) — parse with tools like opendmarc or commercial parsers.
- Monitor logs and bounce patterns with a central log aggregator (Elastic, Grafana Loki) and alert on spikes.
Subscribe to abuse feedback loops where possible and create automated suppression lists for addresses that complain or bounce repeatedly.
Advanced hardening and policies
- Enforce submission auth: block port 25 for unauthenticated submission; use 587/465 with TLS and SASL.
- Rate limiting and greylisting: protect against abuse but be careful — greylisting can delay mail and upset users. Consider per‑tenant rate limits.
- Anti‑malware/antispam: implement SpamAssassin/Rspamd + ClamAV or commercial AV and tune whitelist/blacklist rules.
- Backups: daily mailbox backups, export policies, and automated restore tests.
Testing deliverability (practical commands and tools)
Before cutover, run these checks:
- SPF record check: dig TXT example.com and verify v=spf1 entry.
- DKIM test: send to a mail‑tester address or check headers from external mailboxes.
- DMARC reporting: validate _dmarc TXT with online validators or local tools.
- SMTP TLS test: use openssl s_client -starttls smtp -crlf -connect mail.example.com:587 to verify certificate chain and SNI.
- Mail server outreach: mail‑tester.com, MXToolbox, and checktls.com for in‑depth analysis.
Common pitfalls and how to avoid them
- Publishing DKIM with wrong prefixes or quoting errors — use the TXT output file from keygen directly.
- Setting SPF to include too many mechanisms or using +all — tighten scope and prefer ip4/ip6 listings or explicit includes.
- Not monitoring DMARC RUA — you will miss early failures from bulk forwarders or misconfigured services.
- Using recycled/shared IPs that have poor histories — reputation rebuild takes months.
- Mismatched TLS certificate names, PTR, and EHLO — make them identical to avoid receiver heuristics lowering your score.
Deliverability is not a one‑time task. It’s continuous operations: configuration, monitoring, and gradual adjustment based on receiver feedback.
Case study: 200 users migrated in 60 days (summary)
From a recent migration performed in late 2025, we moved 200 users from Gmail to a self‑hosted Postfix/Dovecot cluster on two VPS nodes with a failover MX. Key takeaways from that run:
- Starting in monitor mode for DMARC caught a misconfigured third‑party newsletter provider that was sending unauthenticated mail.
- Careful DNS record rollout and a 6‑week warm‑up period avoided inbox placement issues with Gmail and Outlook.
- Postmaster Tools diagnostics were critical — they diagnosed a high rate of authentication failures due to an expired DKIM selector during a key rotation.
Actionable takeaways (do these next)
- Immediately: verify rDNS and TLS cert CN match your mail hostname.
- Within 24 hours: publish SPF (soft mode) and a monitoring DMARC (p=none) to start receiving reports.
- Within 72 hours: generate DKIM keys, publish the public key, and enable OpenDKIM signing on Postfix.
- Before cutover: run imapsync dry runs and validate mailbox integrity with user sampling.
- Post‑cutover week 1: watch Gmail Postmaster and SNDS hourly; apply suppression and adjust warm‑up rates as required.
Future predictions (2026+): what to expect
In 2026, expect receivers to raise the bar further: stronger emphasis on telemetry consumption (TLS‑RPT, DMARC aggregated telemetry), more automated quarantines for unauthenticated senders, and increased importance of long‑term sending history. Investing in observability, automated rotating DKIM keys, and dedicated reputation IPs will become standard practice.
Final checklist before flip
- rDNS, EHLO, cert CN match
- SPF, DKIM (signed), DMARC (monitoring)
- MTA‑STS and TLS‑RPT configured
- Imapsync completed and verified for a subset of users
- Warm‑up plan in place with suppression lists and feedback loop consumers
- Monitoring dashboards and alerts for bounces, reject rates and auth failures
Call to action
If you’re preparing a migration, start with the checklist above and test one domain and a small set of users first. Need a review of your Postfix/Dovecot configuration, DKIM key setup, or warm‑up plan? Contact our engineers for a practical, hands‑on audit tailored to your environment — protect your domain reputation before you switch mail flows.
Related Reading
- Cloud Native Observability: Architectures for Hybrid Cloud and Edge in 2026
- Beyond Restore: Building Trustworthy Cloud Recovery UX for End Users in 2026
- Security Deep Dive: Zero Trust, Homomorphic Encryption, and Access Governance for Cloud Storage (2026 Toolkit)
- Outage-Ready: A Small Business Playbook for Cloud and Social Platform Failures
- A Practical Guide to Evaluating Creative Roadmaps: Lessons from the New Filoni‑Era Star Wars Slate
- Packing Tech for Long Trips: Essentials for Remote Workers and Commuters
- Designing Micro-Gyms for Urban Buildings: A 2026 Playbook for Landlords and Operators
- Road Trip Comfort Kit: Hot‑Water Bottles, Rechargeable Warmers and In‑Car Cozy Hacks
- Enterprise AI Readiness Checklist for Trading Firms: Lessons from Salesforce Research
Related Topics
selfhosting
Contributor
Senior editor and content strategist. Writing about technology, design, and the future of digital media. Follow along for deep dives into the industry's moving parts.
Up Next
More stories handpicked for you
Combating AI-Powered Disinformation: Tools for Self-Hosted Solutions
News: Self-Hosters Embrace Compute-Adjacent Caching — Migration Playbooks Go Mainstream
