No big deal: Switch your email provider, but keep your old domain

Alexa Steinbrück
6 min readJul 30, 2024

--

ProtonMail stores your end-to-end encrypted email under 1,000 meters of granite (close to Attinghausen, Switzerland)

Email is the lifeline of my professional existence. As a freelance software developer, it is the primary way I connect with clients, secure new gigs, manage projects, and, of course, send invoices. Missing an email could lead to lost opportunities and unnecessary confusion. Simply put, email is how I feed myself and my dog!

Given its importance, switching my email account seemed like a daunting task. I had several concerns: How long would the transition take? Would there be any downtime? Could emails get lost in the process? Would my emails suddenly be marked as spam?

I wrote this short article to answer these questions and share some best practices. Hopefully, it will also ease some of your insecurities.
TL;DR: It’s fairly easy, the risks are low, and you can do it too!

This short article is for you if you have a custom email address and domain (e.g., yourname@yoursite.com) and want to move it to a new email provider.

This article is NOT for you if you have a Gmail address or similar (yourname@gmail.com) and want to switch email provider.

Choosing ProtonMail as my new email provider

Recently, I decided to switch my email provider. My requirements were: enhanced privacy, enhanced security for me and my clients, reasonable pricing, good user experience (admin interface, mail client). And most importantly, I needed to keep my already existing custom domain: alexasteinbruck.com

After some market research and comparison, I chose Proton Mail for these main reasons:
1. they put privacy at first place
2. their pricing is reasonable
3. their mail client has a great UI
4. their code is open source

Proton Mail prioritizes privacy above all else, as stated in their commitment:

“We provide easy-to-use alternatives to Big Tech services and their surveillance business models. With Proton, your data is protected, not exploited.”

Their privacy features include end-to-end encryption ensuring that not even Proton itself can read your emails. Moreover, Proton Mail detects and disables tracking technologies embedded in incoming emails. Beyond these core offerings, Proton Mail includes several other interesting features, like disposable email addresses, a free VPN service and Proton Scribe, an integrated privacy-friendly version of ChatGPT.

Two other impressive facts about Proton:

  • Proton was founded by a group of scientists who met at CERN. They were advised by Sir Tim Berners-Lee who is often called the inventor of the world wide web.
  • Proton operates two data centers to ensure reliability and security. One is located in Lausanne, while the other serves as a backup in Attinghausen, housed in the former K7 military bunker under 1,000 meters of granite rock. Here’s a Quartz reportage about it.
Migration status displayed in the Proton migration assistant

How to do the migration (outline)

Disclaimer: Please check the actual website of Proton for more detailed and up-to-date instructions, this is just an overview!

Step 1 — Sign up with Proton Mail

Sign up with Proton Mail. Then go to the “Domain names” settings page and click Add domain or Review. This will launch a convenient assistant that will walk you through the necessary steps!

Step 2 — Update DNS records

Open a new tab and login at your domain provider. That’s the company where you once registered your custom domain (it might also be where you bought your web space/hosting). It is important to understand that hosting and domains are different things that should always be decoupled: You could cancel your hosting plan, but keep your domain.

Navigate to the DNS settings of your domain provider. Here you will see a table of your DNS records.

  1. Add a DNS record of type TXT (this is to prove to Proton that you are indeed the owner of the domain) to your list of DNS records. Copy the values from the Proton assistant website.
  2. Add 2 MX records — these are the actual records for email routing: mail.protonmail.ch and mailsec.protonmail.ch
  3. Add a few more DNS records for mail origin verification, security and spam prevention: SPF (that’s a record of type TXT), DKIM (record of type CNAME) and DMARC (record of type TXT)

What needs to happen with your old DNS records?

That depends on the type of records.
Old MX records: You need to delete/overwrite them. Alternatively keep them and give them a priority that has a higher number (meaning lower priority) than the Proton entries.
Old SPF/DKIM/DMARC records: A single domain can have only 1 TXT record for SPF! But the value of the SPF record can reference multiple servers in the text content.
Check in Protons migration assistant for more recommendations!

Step 3 — Wait ⏳

How long will the transition take?

This is hard to tell. DNS is an unpredictable beast. It can take up to 72 hours for the new DNS records to update through the system. In my case it took only about 3 hours for the whole procedure to be completed. In your Proton admin interface you can see the status of the migration.

FAQs/Questions

Is there any “downtime”?

In case that the new MX records have not yet been picked up by the DNS servers worldwide, they will still refer to the old MX records pointing to your old email provider. This means you could still receive emails on your old email server, so don’t shut it down too quickly.

Can emails get lost in the process?

It is unlikely for incoming emails to get lost, if you have any MX records present in your DNS settings. In the rare case that an email could not be sent to one mail server or the other, they will “bounce” and the sender would be notified by a message: “Undelivered Mail Returned to Sender”.

Can both email servers be “active”

If you keep both MX entries yes. The record with the lowest priority is used first, then the higher ones until one server responds. If they have similar priorities then the emails would be randomly split between the two servers (this is how load balancing is usually done). But one single email will never be delivered to more than one server!

More tips to smooth the process

  1. Notify Your Key Contacts: Inform your important contacts about the upcoming migration. This reduces the risk of missed communications.
  2. Choose the Right Timing: Plan the migration for a weekend or a period when your email activity is lower.
  3. Adjust TTL Before Migrating: Prior to starting the migration, set your MX records to a low TTL (Time to Live). This ensures that DNS servers will update the records more quickly once you switch to the new email server, speeding up the transition and reducing the likelihood of email delivery issues.

Conclusion

The transition to a new email provider turned out to be fairly easy and not as risky as I initially thought. This was largely due to Proton Mail’s user-friendly transition assistant, which streamlined the process and minimized potential issues. Overall, the migration went smoothly, confirming that with the right tools and preparation, changing email providers can be a straightforward task.

One Last Thought

If you prioritize security, it’s crucial to ensure that your domain provider also offers robust security features. Relying solely on a secure email provider isn’t enough. If someone gains access to your domain provider account, they could alter DNS settings and redirect your MX records to a different mail server. This would allow them to impersonate you and intercept emails intended for you. Therefore, securing both your email provider and domain account is essential for comprehensive protection.

Appendix / DNS Terminology

DNS = Domain Name System
TTL = Time to live, refers to how long a DNS server can serve a cached DNS record.

Relevant DNS record types

MX — a mail exchange record
TXT — a text record
CNAME — canonical name record

How to refer to the columns in the DNS table:

the record type, e.g. TXT
the host name, e.g. @
the value, e.g. protonmail-verification=xxx.

Special records of type TXT

- SPF (Sender Policy Framework) — to authenticate the sender and ensure that only authorized servers can send emails from your domain
- DMARC (Domain-based Message Authentication, Reporting and Conformance) — protect from email spoofing

Special records of type CNAME

- DKIM (DomainKeys Identified Mail) — to prevent hackers to mess with your email, to verify that messages haven’t been tampered with in transit
- SPF, DKIM and DMARC are used for email security and authentication.

--

--

Alexa Steinbrück

A mix of Web Development, Machine Learning and Critical AI discourse. I love dogs and dictionaries.