MIGRATION GUIDE

Switch to OpenEFA®

How organizations replace Barracuda, Mimecast, Proofpoint, and other legacy email security gateways — without downtime or lost quarantine.

This is the operator’s version of a migration page. No marketing fluff. Just the timeline, the decisions you’ll face, what we handle, and how we roll back if anything goes sideways.

Request Migration Plan See the Timeline

TYPICAL PROJECT

End-to-end duration 2–3 weeks
Parallel run 7–14 days
MX cutover window 15 min
Rollback time < 1 hour

What the migration looks like

Five stages. Most organizations complete the whole sequence in two to three weeks. You decide the pace.

1
DAY 0 · 30 MIN

Discovery

A short call covering your current vendor, policy complexity, user count, compliance posture, and any archiving obligations. We’ll tell you what we’ll port cleanly and what we’ll need to rebuild.

Deliverable: migration scope document, proposed rule mapping, trial tenant provisioned.

2
WEEK 1–2 · 7–14 DAYS

Parallel run

OpenEFA runs alongside your existing filter in “shadow” mode. Your current filter still makes the delivery decisions. OpenEFA scores every message independently so you can compare verdicts before anything reaches production.

What you get: a side-by-side verdict report — messages both filters agreed on, messages only OpenEFA flagged, messages only your legacy filter flagged — with full reasoning on each.

3
WEEK 2 · 1–3 DAYS

Data export & rule mapping

We export from your current vendor and import into OpenEFA: sender whitelists and blocklists, domain-level policies, custom rules, attachment and URL allow-lists. Where rules don’t have a one-to-one equivalent, we translate them into OpenEFA’s model.

Not automatic: per-user mailbox preferences (we rebuild these from your directory). Not needed: reputation training data — OpenEFA builds its own baselines during the parallel run.

4
CUTOVER DAY · 15 MIN

MX cutover

You change MX records to mx1.openefa.com. DNS propagation completes within minutes to a few hours depending on your TTL. OpenEFA is now making delivery decisions; your old filter continues to receive stragglers until DNS fully rolls over.

Recommended: lower MX TTL to 300 seconds 24 hours before cutover to shorten the window.

5
WEEK 3+ · YOUR RENEWAL CYCLE

Decommission

Leave the old filter in place through the end of its current billing term — it’s your safety net. When you’re confident, submit non-renewal and let the contract lapse. No sudden cancellation penalties.

If you decide to roll back: flip MX back. OpenEFA won’t fight it. See the rollback section below.

Notes by current vendor

Migrations from different legacy platforms have different gotchas. Here’s what we see most often.

FROM

Barracuda

Email Security Gateway, Email Protection, Impersonation Protection, and legacy Spam Firewall appliances.

What ports cleanly

  • Sender & domain allow/block lists
  • Inbound & outbound policy rules
  • User-level exception lists (via LDAP/Entra sync)
  • DKIM signing keys (if self-managed)

What we rebuild

  • Linked Cloud Protection Layer + on-prem appliance rule chains — OpenEFA is a single inline engine, not a two-stage pipeline
  • Per-user quarantine preferences (rebuilt from directory)

Timing

Barracuda contracts are usually 1–3 year terms with auto-renewal. Check your renewal date before cutover and set a calendar reminder to submit non-renewal.

Full Barracuda comparison →

FROM

Mimecast

Mimecast Email Security, Targeted Threat Protection (URL/Attachment/Impersonation), and Cloud Archive.

What ports cleanly

  • Address Group / Profile Group membership
  • Permitted & Blocked sender policies
  • Attachment Protection and URL Protection rule intent
  • Managed Sender list

What we rebuild

  • Impersonation Protect signal thresholds — OpenEFA uses behavioral + intent layers instead of rule-per-signal
  • Mailbox Continuity (out of scope; pairs with your existing mail host)

Archiving

If you’re on Mimecast Cloud Archive, OpenEFA Comply ($8/user) or Vault ($10/user) provides equivalent retention. We coordinate an archive export with Mimecast before decommission.

FROM

Proofpoint

Proofpoint Essentials, Enterprise Email Protection, Targeted Attack Protection (TAP), and Threat Response Auto-Pull (TRAP).

What ports cleanly

  • Spam & virus rule thresholds
  • Sender lists and DMARC policy enforcement
  • Email Fraud Defense lookalike-domain lists
  • Quarantine digest schedules

What we rebuild

  • TAP URL rewriting — OpenEFA scores URLs inline without rewriting; no click-time lookups required
  • TRAP remediation workflows — mapped to OpenEFA’s release/recall API

Timing

Proofpoint Essentials is typically month-to-month; Enterprise contracts are annual. Most migrations time cutover to the month before renewal.

Other vendors (Avanan, Abnormal, INKY, etc.)? Contact us — we’ve done it.

OpenEFA vs. legacy email gateways

Compared against the general class of legacy cloud gateways, not any single vendor. Individual product capabilities vary.

Legacy gateways OpenEFA
Deployment Multi-step onboarding; professional services often required MX change in minutes. No hardware, no agents.
Pricing model Mailbox + per-feature add-ons (TAP, archive, encryption, etc.) Flat per-user tiers from $5–$10. Archiving built in from the $6 tier.
Contract length Typically 1–3 year terms with auto-renewal No long-term contract. Cancel anytime.
Verdict explainability Opaque risk score; limited breakdown in admin console Full per-signal breakdown. Every weight visible. Tune inline.
BEC / intent detection Rule-per-signal; bolt-on modules for impersonation Dedicated intent layer: NLP classifier + behavioral relationship graph.
First-contact senders Scored by reputation; unknown = no signal Explicitly flagged; baseline threshold adjusted per-domain.
URL handling URL rewriting with click-time lookup (breaks outbound, adds latency) Inline URL risk scoring. No rewriting. Original links preserved.
Data residency Cloud-only for most tiers; on-prem appliances require separate product lines Cloud, managed on-prem appliance, private cloud, or air-gapped — same platform.
Privacy posture Many vendors send message content to third-party cloud AI for analysis Proprietary ML runs entirely in OpenEFA infrastructure. No third-party AI training.
Support Tiered support; premium tiers required for direct engineer access 18/7 live support + 24/7 emergency included on every plan.

Comparisons reflect OpenEFA’s understanding of typical legacy gateway deployments as of 2026. Vendor capabilities change — verify current features against your vendor’s documentation.

If something breaks: rollback

We don’t pretend migrations always go perfectly. Here’s how we plan for the case where they don’t.

1. Low TTL before cutover

We drop your MX TTL to 300 seconds at least 24 hours ahead. That means rollback DNS changes propagate in minutes, not hours.

2. Old filter stays up

Your existing filter remains active through its current billing term. It’s your safety net. Rollback is a DNS flip away, not a rebuy.

3. Quarantine is queryable

Every message OpenEFA has ever scored stays in your quarantine with full verdict history. If a rollback is needed, nothing is lost.

4. No punitive cancellation

OpenEFA is month-to-month. If the migration doesn’t work for you, you don’t owe us for unused time. Cancel and walk.

In practice: rollbacks are rare. In the past year our own metric is that fewer than 2% of migrations require more than one MX adjustment post-cutover. But the plan exists because that’s how real operations work.

Migration FAQ

No. We explicitly design migrations to run in parallel with your existing filter. Your current contract stays in force through its billing term; you submit non-renewal when you’re confident in OpenEFA. This is also your rollback path — if anything goes wrong, your old filter is still running.

A verdict comparison for every message that comes through during the window. You’ll see which messages both filters agreed were spam/phishing, which only OpenEFA caught (and why), which only your legacy filter flagged, and where we disagreed on scoring. The point is to baseline confidence before changing MX — not to sell you. If the parallel run shows OpenEFA doesn’t fit your needs, we’ll tell you.

No. Mail delivery continues throughout. Quarantine notifications change format and come from OpenEFA instead of your previous vendor, but that’s usually the only user-facing signal. We provide a one-page end-user note you can send if you want to explain the change.

Each tenant gets its own OpenEFA instance with isolated data and policy. MSPs manage all of them from a single multi-domain console with role-based access. Billing is consolidated. Most MSP migrations run tenants in batches of 5–10 in parallel, with phased cutovers.

Depends on tier. If you’re paying for archiving as a separate add-on (common with Mimecast, Proofpoint), OpenEFA Protect ($6), Comply ($8), or Vault ($10) replaces it with retention built into the base price. We’ll help you export historical archive data before decommission. See pricing & services for details.

Standard migrations — discovery, parallel run, rule mapping, cutover assistance — are included. Complex migrations involving multi-tenant MSP environments, air-gapped deployments, or custom compliance workflows may involve a project fee; we’ll scope and quote before you commit.

Ready to start the discovery call?

30 minutes. No slide deck. We’ll tell you what a migration from your current vendor actually looks like — including whether OpenEFA isn’t the right fit.

Request Migration Plan See Pricing User Forum