If Gmail Policy Forces You to Move: A Tech Admin's Migration Checklist

If Gmail Policy Forces You to Move: A Tech Admin's Migration Checklist

Hook: If a change in Gmail policy—or the new AI/data-sharing defaults rolled out in late 2025—has put your organization on the clock to move email providers, you need a practical, verifiable migration playbook that protects users, preserves compliance, and avoids lost messages or broken integrations.

This checklist is built for tech leads and IT admins charged with orchestrating an urgent Gmail migration. It focuses on the highest-risk items: aliases, forwarding, SSO, large attachments, and maintaining immutable audit trails. Use it as an operational runbook and adapt the timeboxes to your org size and compliance requirements.

Why act now (2026 context)

Late 2025 and early 2026 saw major mailbox-provider changes: broader AI integrations into consumer and enterprise inboxes, new default data-access settings, and heightened regulatory scrutiny in the EU and the U.S. (Forbes and others covered Google’s January 2026 policy updates). For regulated environments (GDPR, HIPAA, financial services), these shifts increased risk and accelerated migrations to privacy- and compliance-first providers like those that publish explicit non-training commitments; see notes on privacy-first AI controls when evaluating vendors.

“You can now change your primary Gmail address” — a 2026 policy change that created urgency for many orgs to reassess residency, access, and export controls.

Executive checklist — what to deliver in the first 30 days

• Perform a discovery of user accounts, aliases, and delivery routes.
• Export data (mail, contacts, labels/labels metadata) and verify checksums.
• Choose a destination platform that supports compliance needs and resumable uploads — and read up on resilient backend patterns for presigned-URL and resumable flows when designing your file pipeline (edge backend patterns).
• Implement parallel delivery or dual delivery for cutover safety.
• Define SSO/SCIM plan and test SAML/OIDC integration with at least five pilot users.
• Put legal holds and eDiscovery exports in place for in-scope custodians.

Primary risks to mitigate immediately

• Missing aliases and catch-all addresses causing lost mail.
• Broken automated flows (CRMs, ticketing, CI/CD hooks) that rely on old SMTP settings — see guidance on handling mass email provider changes without breaking automation.
• Large attachments that exceed the new provider’s size or retention policies.
• SSO misconfiguration that locks out users during cutover.
• Insufficient audit trail or failure to preserve headers and metadata — consider operational provenance best practices (operationalizing provenance) when you design chain-of-custody storage.

Detailed migration checklist (step-by-step)

1) Discovery & inventory (Day 0–3)

Start by building a single source-of-truth inventory for each user and system account.

• Export a CSV of all accounts, aliases, groups, delegates, forwarding rules, and domain-level routing—use Workspace admin APIs or enterprise export tools.
• Identify service accounts and mailing-list addresses used by systems (e.g., no-reply@, alerts@).
• Classify accounts by sensitivity: regulated, executive, service, developer, general staff.
• Detect 3rd-party services that use email-based login or 2FA; produce a list for communications.

2) Data export & preservation (Day 1–10)

Your migration will be judged by how well you preserved message fidelity and metadata.

• For Google Workspace customers: use Google Vault/eDiscovery exports where applicable. For consumer accounts, use Google Takeout or admin-assisted exports.
• Export mailboxes as MBOX (or your destination format). Include labels, folder structure, and message headers. Verify that Message-ID, Received headers, timestamps, and DKIM signatures are preserved.
• Calculate and record checksums (SHA256) for each mailbox export. Store checksums with the export manifest.
• Keep immutable copies in cold storage (WORM if required by regulation). Add retention metadata and chain-of-custody logs — see provenance design notes for tamper-evident manifests (operational provenance).

Practical export commands and tips

Tools you’ll commonly use:

• imapsync — reliable for user-by-user IMAP migrations.
• rclone — useful for attachments or cloud object migrations to S3-compatible stores and for feeding presigned-URL backends designed with resumability in mind.
• Google Vault / Data Export — mandatory for legal holds and for Workspace-based compliance exports.

imapsync --host1 imap.gmail.com --user1 user@gmail.com --password1 'app-password' \
         --host2 imap.newhost.com --user2 user@newdomain.com --password2 'newpass' \
         --syncinternaldates --uidexpunge --addheader
  

Notes: Use per-user app passwords or OAuth where possible; avoid plain-account passwords. Always run a dry-run first and sample-check mailbox counts and folder sizes.

3) Aliases, plus-addressing, and forwarding rules (Day 2–12)

Aliases are a frequent source of lost mail after cutover.

• Map every alias to the canonical new address. Include SMTP envelope addresses if your destination honors separate Return-Path handling.
• If you use plus-addressing (user+tag@gmail.com), confirm destination provider supports it; if not, create equivalent alias rules or transform inbound addresses at the MTA/proxy layer.
• For domain-level catch-alls, replicate the behavior with explicit alias expansions or wildcard routing in the new MX setup. Be careful of domain hijack risks and check expiration/reseller status for your sending domains (domain-reselling scams can complicate DNS recovery).
• Export forwarding rules per user and either recreate them on the destination or implement domain-level forwarding while preserving copies in Gmail during dual delivery.

4) Dual delivery and MX transition (Day 5–25)

Never flip MX records without a fallback; use dual delivery to eliminate single-point failure.

• Configure dual delivery on Google Workspace (route inbound mail to both Google and the new provider) or set up the new provider to mirror messages while Google continues to receive copies for the transition period.
• Lower DNS TTLs (to 60s–300s) at least 48 hours before MX change to accelerate rollback if needed.
• Plan a phased DNS cutover: test with pilot subdomains, then staged production migration.

5) SSO, SCIM, and user provisioning (Day 3–20)

SSO misconfiguration is one of the top migration failure modes. Plan, test, and verify.

• Decide between SAML and OIDC for the destination; OIDC is increasingly common in 2026 for modern apps, but many email providers still use SAML for admin features.
• Implement SCIM for provisioning/deprovisioning. Confirm attribute mappings for email, aliases, name, and externalId.
• Test SSO for at least five pilot users and validate group-based entitlements and admin privileges. Track recent IdP adoption notes and integrations if you’re adopting newer micro-auth patterns (MicroAuthJS adoption research).
• Ensure MFA policies (FIDO2, TOTP) carry over. For passwordless adoption, make sure your IdP supports passkeys/YubiKey and that fallback paths are documented.

<!-- Example SCIM provisioning mapping (pseudo) -->
{
  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
  "userName": "user@newdomain.com",
  "name": {"givenName": "First","familyName": "Last"},
  "emails": [{"value": "user@newdomain.com","type": "work"}],
  "externalId": "google_user_id",
  "active": true
}
  

6) SMTP relay, DKIM, SPF, DMARC and deliverability (Day 7–20)

Don't neglect MX-authenticity and deliverability controls — these must be set before sending production mail from the new platform.

• Publish SPF records for the new provider and deprecate old entries incrementally.
• Generate and publish DKIM keys for every sending domain and rotate keys post-migration.
• Implement DMARC with a monitoring policy first (p=none) and move to quarantine/reject after 30–90 days of stable sending.
• Update bounce-handling and feedback loops with major ESPs to monitor deliverability. Also verify domain registration and avoid expired/resold domains that can break DKIM/SPF trust (domain reselling issues).

7) Large attachments & file-sharing strategy (Day 1–30)

Large attachments are not strictly about mailbox migration; they are about preserving user workflows without clogging mail transport.

• Adopt link-based sharing for files >10–25MB. Replace attachments with secure links backed by your object store (S3, S3-compatible) and short-lived tokens.
• For internal transfer, enable resumable uploads (TUS protocol or S3 multipart) so interrupted uploads resume reliably. This reduces helpdesk tickets and saves bandwidth — design your presigned-URL backend using resilient edge/backend patterns (edge-backend design).
• Set access controls and expiring links. Log every download event to your audit trail for compliance.
• Migrate embedded attachments separately using rclone-compatible object pipelines or an archival object store; ensure filenames and MIME types are preserved.

8) Preserving audit trails, headers, and eDiscovery (Day 1–30)

Regulators and legal teams will ask for chain-of-custody and original headers. Prepare to deliver.

• Export and retain raw message source, including Received headers, DKIM signatures, and Message-IDs.
• Record checksum manifests, export timestamps, and the operator who performed the export. Log these into a tamper-evident store (WORM or equivalent) and apply provenance design patterns (operational provenance).
• Store administrative API logs (who changed what and when) in a SIEM or cloud-native observability stack for at least your regulatory retention period — see approaches used in cloud observability programs (cloud-native observability).
• Use eDiscovery tooling to reconstitute matters for legal holds; validate that search and export from your destination returns consistent results with the original exports.

9) Integrations, automation, and 3rd-party apps (Day 5–25)

Mail is often woven into automation — failing to update integrations breaks business processes.

• Inventory integrations: CRMs, ticketing, backup systems, build notifications, CI/CD bots, and calendar syncs.
• Update SMTP credentials, webhook endpoints, and API scopes. Where possible, use service accounts rather than user credentials.
• Retire or rotate OAuth tokens tied to Gmail. Revoke access via Google Admin API and ensure new tokens are compliant with least privilege.
• Test inbound webhooks and origination addresses for transactional systems, and update SPF/DKIM accordingly.

10) Pilot, validation, and full cutover (Day 7–40)

Do not rush the pilot. The most common reasons for delays are missed aliases, SSO fallout, and attachments that don’t migrate cleanly.

1. Run an initial pilot with 10–50 users representing each user class (execs, regulated, service accounts).
2. Validate mail flow, calendar invites, mobile access, and archive search. Verify headers and checksums for exported messages.
3. Collect user feedback and measure support ticket volume. Adjust documentation and training materials.
4. Schedule final cutover during a low-traffic window. Keep a rapid rollback plan and a command center contact list.

11) Post-migration hygiene (Day 40–90)

After cutover, implement monitoring and an optimization plan.

• Monitor bounce rates, DMARC reports, and inbound volume. Adjust rate limits and throttling to prevent blacklisting.
• Complete full reconciliation of mailbox sizes and message counts. Keep original exports until your retention policy allows deletion.
• Rotate keys (DKIM), audit SCIM mappings, and disable legacy OAuth clients that are no longer needed.
• Run a post-mortem to document lessons learned and update your playbooks and runbooks. Refer to mass-email migration case studies and automation-preservation guides (handling mass-email provider changes).

Verification & testing checklist

Measurement is essential. Ask these questions and document answers for each pilot batch and final cutover.

• Are message counts identical (within acceptable delta) between source and destination?
• Are message headers preserved (Message-ID, Received, DKIM)?
• Do aliases and catch-alls behave as expected? Test inbound mail from external domains.
• Does SSO log and group mapping work for admin functions and mailbox delegation?
• Are large files accessible via secure links and resumable upload enabled for client apps?
• Is chain-of-custody documentation complete for compliance and legal scrutiny?

Operational examples & commands

Example: export a user's mailbox with Google Workspace Data Export workflow and verify SHA256:

# After export completes, download MBOX and compute checksum
sha256sum user_mbox.mbox > user_mbox.mbox.sha256
# Verify later
sha256sum -c user_mbox.mbox.sha256
  

Example: migrate attachments to an S3 bucket with rclone for link-based replacement:

rclone copy /path/to/attachments s3:mail-attachments/ --transfers 16 --s3-chunk-size 10M
# Generate presigned URL logic via your backend to replace attachment URLs in messages
  

Common pitfalls and how to avoid them

• Pitfall: Assuming aliases automatically port. Fix: Inventory and explicitly recreate aliases or implement envelope rewriting at MTA.
• Pitfall: SSO provider not mapped for admin roles. Fix: Pre-create admin-level test accounts and verify role-based access.
• Pitfall: Lost attachments because the new provider restricts size. Fix: Offload large attachments to object storage and replace message bodies with secure links.
• Pitfall: Missing headers for eDiscovery. Fix: Ensure you export raw message sources and preserve Received headers; follow provenance guidance (operational provenance).

Security & privacy best practices (2026)

Security and privacy expectations have tightened in 2026. Adopt these baseline controls:

• Zero-trust for mail admin access — enforce least privilege, MFA, and break-glass accounts with bannered policies.
• Encrypt exports at rest, and use secure key management. Maintain an audit log for export access; feed these logs into a cloud observability / SIEM pipeline (cloud-native observability).
• Ensure the destination provider supports region-based data residency if required by GDPR or local rules.
• Review each provider’s privacy policy for AI-access clauses (e.g., training models on customer content). Opt for providers with explicit non-training commitments if required — see privacy-first tooling notes (privacy-first AI tools).

Communications plan & user guidance

Clear user communications reduce helpdesk load dramatically.

• Send a pre-migration advisory with timelines and actions (update 2FA, review personal forwarding, export any personal data users want to keep).
• Provide step-by-step guides for updating IMAP/SMTP settings on common clients (Outlook, Apple Mail, mobile clients) and examples for passkey/MFA enrollment.
• Offer office hours and a “migration support” Slack/Teams channel with pinned FAQs and escalation contacts.

Rollbacks and emergency playbook

Always prepare for the unexpected and make rollbacks safe and predictable.

• Keep DNS TTLs low for the change window to allow fast rollback.
• Retain both inbound flows during the rollback period and log differences.
• Document steps to re-enable old provider routing and re-sync any new messages accumulated at the destination back to source, if necessary.

Resource estimate & timeline guidance

Typical timelines depend on user count and compliance needs.

• Small orgs (<=200 users): 2–6 weeks with a focused team (1 project lead, 1 systems admin, 1 compliance rep).
• Medium orgs (200–2,000): 6–12 weeks with phased pilots and additional SRE/engineering support.
• Large enterprises (>2,000): 3–6 months with cross-functional governance, legal oversight, and dedicated migration engineering teams.

Final checklist (printable)

1. Inventory users, aliases, groups, and service accounts.
2. Export all mailboxes, calculate SHA256 checksums, and store manifests.
3. Plan SSO and SCIM provisioning and test with pilot users.
4. Configure dual delivery and lower DNS TTLs.
5. Recreate aliases, catch-alls, and forwarding rules on destination.
6. Establish DKIM/SPF/DMARC and monitor deliverability.
7. Offload large attachments to secure object storage and enable resumable uploads.
8. Preserve raw headers and store audit logs in an immutable store.
9. Test integrations and rotate OAuth tokens; update webhooks and SMTP creds.
10. Run pilots, validate, cut over in phases, and conduct a post-mortem.

Actionable takeaways

• Do not cut MX without dual delivery: run mail to both systems until exports and validation are complete.
• Preserve headers and checksums: you’ll need them for compliance and eDiscovery.
• Plan for attachments: replace heavy attachments with secure links backed by resumable uploads to avoid failures — design presigned-URL backends with resilient edge patterns (edge-backend patterns).
• Test SSO thoroughly: a single misconfigured SAML assertion can lock out the entire org — review modern IdP patterns (MicroAuthJS adoption notes) when planning your cutover.

Why this matters in 2026

With AI models increasingly integrated into email platforms and regulators scrutinizing data residency and consent, migration decisions are not only operational but strategic. Choosing a provider that respects privacy, offers strong auditability, and supports modern resumable upload and sharing patterns will reduce long-term risk and operational cost.

Call to action

If you’re planning—or being forced—to move off Gmail, start with this checklist, run a pilot, and document every step. For hands-on help: assemble a small migration task force, capture your inventory, and test dual delivery this week. Need a migration playbook tailored to your stack or a secure large-file transfer approach built for resumable uploads and strict compliance? Reach out to your trusted engineering partner or download a prebuilt migration template to get started.

Related Reading

• Handling Mass Email Provider Changes Without Breaking Automation
• Operationalizing Provenance: Designing Practical Trust Scores
• Designing Resilient Edge Backends for Presigned‑URL and Resumable Uploads
• Inside Domain Reselling Scams of 2026
• Cloud‑Native Observability (for SIEM and Audit Pipelines)
• Living Like a Local in Whitefish, Montana: A Seasonal Guide for Remote Workers and Snow Lovers
• Reputational Risk and Royalties: What Julio Iglesias’ Case Teaches Music Investors
• Teaching Statistics with Fantasy Football: A Unit Using FPL Data
• Multi-CDN for Small Sites: Practical Setup and Cost Tradeoffs
• Cozy Modest Sleepwear + Hot-Water Bottles: Best Pairs for Restful Nights