Skip to main content

Extended Email Security migration flow

This article describes the end-to-end process for migrating from the legacy GravityZone Security for Email platform to GravityZone Extended Email Security (EES), referred to as EES throughout this article.

This applies to:

  • B2B end customers.

  • MSP partners managing one or more customer tenants.

Important dates and migration timing

  • Start of automated staging: December 16, 2025.

  • Latest expected staging completion: January 24, 2026.

  • Expected shutdown of the legacy platform: January 31, 2026.

Schedule migrations as soon as possible

Due to developments outside our immediate control affecting the underlying infrastructure, we must bring forward the final shutdown to January 31st, 2026. We will support you through this migration so it goes as smoothly as possible.

All customers must complete migration to the Extended Email Security (EES) platform including updating MX records and mail routing settings before January 31st, 2026. If these updates are not completed, email filtering and related services will stop functioning once the legacy platform is shut down.

Caution

All customers must complete MX record and mail routing changes before January 31, 2026. If mail flow is not updated, email filtering stops when the legacy platform is retired.

What has been pre-staged for you

As part of the accelerated migration, Bitdefender automatically stages the following configuration elements from the legacy Security for Email platform into the new EES platform:

  • Domains and mail routing configuration.

  • Administrator accounts that have mailboxes configured within protected domains.

  • Mailboxes associated with the protected domains.

  • Safe lists and deny lists.

  • Default email security policies in EES that cover the built-in protection rules from the legacy platform.

Built-in security rules from the legacy platform are covered by the default policies applied in Extended Email Security.

What is not migrated`automatically:

  • Custom rules manually created on the legacy platform.

    These rules are not migrated automatically. If they are still required, they must be recreated in the Mesh platform.

    Note

    If assistance is needed, open a Bitdefender Support case, and the Support team can help review and recreate the required rules.

  • Outbound sending host are not migrated automatically and must be configured manually if outbound filtering is enabled.

  • Emails currently held in Quarantine on the legacy Security for Email platform are not transferred to Extended Email Security (EES).

Caution

Review any required quarantined emails on the legacy platform before completing the migration, as quarantined messages are not transferred to EES.

Accessing the Mesh platform

B2B Customers:

Once staging is complete, the configured administrator receives a welcome email with instructions to set a password and access the Mesh portal.

MSP Partners:

Once your MSP portal is ready:

  • You receive a welcome email to set your credentials

  • You receive a notification email for each customer tenant once it has been staged

Below you can find the links for the login pages for both EU and US:

US login page: https://hub-us.emailsecurity.app

EU login page: https://hub-eu.emailsecurity.app

Post-staging migration steps

Follow the phases below to avoid mail flow disruption:

  1. Verify the staged configuration.

  2. Prepare your environment.

  3. Cutover mail flow to EES.

Verify staged configuration

Before making any mail flow changes, verify that your configuration has been staged correctly in the Mesh platform. 

Verify the following items: 

  • Administrator accounts that have mailboxes within protected domains.

  • User mailboxes associated with the protected domains.

  • Domains and mail routing configuration.

  • Safe lists and deny lists.

  • Default email security policies applied in Mesh.

The default policies in Extended Email Security cover the built-in protection rules from the legacy Security for Email platform.

MSP partners

Repeat this verification for each customer tenant before proceeding.

Prepare your environment

These steps ensure your environment is ready to receive clean email from EES before MX records are changed.

Create Mail Flow Rules

Mail flow rules allow clean emails filtered by EES to be delivered without double filtering. Create the appropriate mail flow rules for your environment:

Populate Users

Users must be present in EES to:

Review Existing Connectors or Inbound Gateways

The legacy Security for Email platform functioned as a Secure Email Gateway (SEG). 

Most customers already have connectors and mail flow rules that only trust legacy platform IP addresses. 

Before changing MX records, review any configuration that may reject inbound email from EES.

Recommended migration approach (preparation only)

No mail flow changes should occur during this phase.

The activation of EES connectors and deactivation of legacy connectors is performed during the CUTOVER phase.

This approach allows both configurations to coexist temporarily and reduces the risk of rejected or blocked emails.

Prepare SPF and DKIM (Outbound Service – Optional)

This step applies only if you plan to enable outbound email filtering in EES:

If outbound filtering will be enabled:

  • Update your SPF record to include EES sending hosts.

  • Prepare DKIM keys for outbound email signing.

These steps can be completed in advance and do not impact inbound mail flow or MX record cutover.

Cutover mail flow to EES

Update MX records to point to EES depending on region.

Note

Reduce DNS TTL to a minimum value to ensure easy roll back of MX records if required.

Finalize Connector or Rule configuration

After MX records have been updated and mail flow through EES is confirmed:

  • Enable EES-specific connectors and mail flow rules.

  • Disable or remove legacy Security for Email connectors or rules.

  • Restrict inbound email acceptance to EES sending IP addresses only.

This ensures all inbound emails are routed exclusively through Extended Email Security.

Optional Configuration

What’s Next: Day-to-Day Administration in EES

Once mail flow has been successfully cut over and validated, the migration to Extended Email Security (EES) is complete.

From this point forward, all email security administration is performed in the Mesh console. This includes routine operational tasks such as:

MSP partners can also use the Mesh console to manage and monitor multiple customer tenants from a single interface. These guides provide step-by-step instructions for common administrative activities performed after migration.

Need help?

Bitdefender Support is available to assist with migration-related questions and validation steps: 

Email: ess-mesh@bitdefender.com

In this section: