A Step-by-Step Guide to Moving Your Restaurant’s Booking and Menu Emails Off Risky Accounts

Stop losing bookings to email risk: a step-by-step migration checklist for restaurants

If your reservation, menu, and order emails still sit on personal Gmail accounts, you’re exposed. In early 2026 Google’s changes around Gmail and AI-driven data access pushed hundreds of small businesses to rethink where their customer communications live. For busy restaurateurs, the solution must be fast, low-cost, and safe — not a lengthy IT project. This guide gives you a practical, day-by-day checklist to secure and migrate your restaurant’s booking and menu emails away from risky accounts, covering DNS, MX records, backups, SPF/DKIM/DMARC, integrations, and communication plans.

Why move now? 2026 trends that make email migration urgent

Late 2025 and January 2026 saw two connected trends that matter for restaurants:

• Major email platform policy and AI-access changes that increase data exposure risk for free consumer accounts.
• A rise in targeted phishing and credential-harvesting attacks against hospitality businesses, where reservation systems and supplier communications are high-value targets.

For small restaurants that handle bookings, menu updates, invoices, and supplier orders by email, these trends mean more than inconvenience — they threaten revenue and reputation. Moving booking@, reservations@, menu@, and orders@ off consumer Gmail and onto a managed, secure domain is now a practical hygiene step.

Snapshot checklist (one-page)

1. Inventory: list every email address used for bookings, menus, orders, suppliers, invoices.
2. Backup: export all messages and attachments from each Gmail account.
3. Choose provider: hosted email (Microsoft 365, Fastmail, Proton Mail Business, Zoho, or a trusted hosting partner).
4. Create new accounts on your domain and set up app SMTP/IMAP credentials.
5. Prepare DNS: plan MX, SPF, DKIM, DMARC records and TTL timing.
6. Switch MX records, test delivery, then decommission forwards and old accounts.
7. Update integrations: booking platforms, POS, menu management, shopping/tracking apps.
8. Communicate: email and SMS notices to staff, suppliers and customers, with clear fallback channels.
9. Monitor: use DMARC reports, test sends, and run daily checks for 14 days.

Before you start: inventory and risk map (Day 0)

Spend one hour doing a fast inventory. Create a spreadsheet and capture:

• Email address
• Who manages it (owner, manager, booker)
• Systems it integrates with (booking app, POS, suppliers, Google Business Profile)
• Role (public bookings, supplier, internal)
• Last access and whether multi-factor authentication (MFA) is enabled

Typical addresses to look for: bookings@, reservations@, reservations+walkins@, menus@, orders@, suppliers@, admin@. If any of these use personal Gmail, mark them high priority. For an approach to auditing tool and account sprawl that scales beyond a single spreadsheet, see our tool sprawl audit.

Step 1 — Back up every Gmail account (Day 1)

Backups are non-negotiable. Loss of historic bookings or receipts can interrupt operations and tax records.

• For consumer Gmail: use Google Takeout to export mailboxes in MBOX format.
• For Google Workspace accounts: use the admin export tool or a third-party backup like SpinOne or UpSafe.
• Alternatively, use an IMAP client (Thunderbird, Outlook) to download a full mailbox to a local PST/MBOX file.
• Save attachments (menus, invoices) into a structured folder: /Backups/YYYYMMDD//

Label backups with the creation date and store a copy off-site (cloud backup plus USB/hard drive). This protects you if the account becomes inaccessible mid-migration.

Step 2 — Choose your new email provider (Day 1–2)

Options in 2026 suitable for restaurants:

• Business-hosted email (Microsoft 365, Google Workspace alternatives) — good for teams, integrates with calendar and cloud storage.
• Privacy-focused providers (Proton Mail Business, Fastmail) — strong privacy controls and simple admin.
• Affordable hosted mail (Zoho Mail, Rackspace) — low cost with solid admin tools.
• Self-hosted — possible but needs technical support; generally not recommended for busy restaurants.

Choose based on: cost per mailbox, ease of DNS setup, SMTP relay support for booking apps, and availability of MFA and device management. Record the provider’s required MX and TXT records now — you’ll need them for the DNS step.

Step 3 — Prepare DNS: MX, SPF, DKIM, DMARC (Day 2)

DNS is where most migrations succeed or break. Work with the domain registrar or host (where your domain’s DNS lives).

MX records

MX records tell the internet where to deliver mail. Prepare the exact MX entries your new provider gives you. Typical commands to check current records:

• dig +short MX yourdomain.com
• nslookup -type=mx yourdomain.com

Plan to lower the TTL to 300 seconds (5 minutes) 24–48 hours before the cutover to speed propagation.

SPF

SPF prevents spoofing of your domain. Example template:

v=spf1 mx include:mailprovider.example -all

Replace mailprovider.example with your provider (e.g., include:spf.protection.outlook.com). Keep the record short and authoritative.

DKIM

DKIM signs outgoing messages. Your provider will give you a selector and a public key to add as a TXT record. Example:

selector1._domainkey.yourdomain.com TXT 'v=DKIM1; k=rsa; p=LONGPUBLICKEY'

Set this before you switch sending so messages are signed immediately.

DMARC

DMARC helps you monitor and enforce policies. Start monitoring before enforcing. Example initial record:

_dmarc.yourdomain.com TXT 'v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100'

After 2–4 weeks of clean reports, move to p=quarantine or p=reject to block spoofing.

Step 4 — Create mailboxes and SMTP credentials (Day 3)

Create new mailboxes on your domain for each address in the inventory. Enable multi-factor authentication for every account and create a central admin account to manage mailboxes.

• Set mailbox aliases (e.g., reservations@ -> bookings@) where helpful.
• Create application-specific passwords or SMTP credentials for integrations (booking apps, POS, newsletter tools).
• Document every username/password in your password manager and rotate weak or shared passwords.

Step 5 — Update app integrations and SMTP settings (Day 4)

Many booking platforms (OpenTable, Resy, Squarespace Bookings), POS systems, and menu/email marketing tools use SMTP or a connected email account to send confirmations and updates. Update them to the new SMTP server, port, and credentials. Test every integration:

• Send a reservation confirmation via the booking platforms and check headers for DKIM and SPF pass.
• Send a menu update email via your marketing tool; check deliverability.
• Ensure supplier invoicing and automated order confirmations still arrive.

Step 6 — Cutover MX records (Day 5)

At a low-traffic hour, update the MX records to the new provider. Keep the old Gmail accounts live during propagation — don’t delete anything yet.

• Set the new MX records and confirm with dig/nslookup.
• Monitor delivery: send test mail from external addresses (Gmail, Outlook, mobile).
• Check provider dashboards for incoming mail flow and queue issues.

If you still receive mail at the old Gmail addresses via forwarding, leave forwarding enabled for 7–14 days.

Step 7 — Import old mail to new accounts (Day 6–7)

Use IMAP migration tools or your provider’s import feature to pull messages from the Gmail accounts into the new mailboxes. Keep folder structure and attachments intact.

• For Google consumer accounts, you may need an IMAP client or a migration tool to move MBOX content to the new mailbox.
• For Google Workspace, admins can use the data migration tool to move mail directly.

Verify: random-check confirmation emails, receipts, and last 12 months of bookings in the new account.

Step 8 — Communicate your change (Day 5–8, overlap allowed)

Transparent communication reduces missed bookings and supplier confusion. Use a simple staged plan.

Staff & managers

• Send an internal memo with timelines, new login steps, and emergency contact procedures.
• Run a 15–30 minute training session on new account access and phishing awareness.

Suppliers and partners

• Send an email with the new billing/supplier contact address and ask them to update their records.
• Include a short verification step (e.g., a phone callback for the first invoice) to prevent fraudulent change-of-payee scams.

Customers

• Publish a short notice on your website and booking confirmations: “We’ve updated our booking email to bookings@yourdomain.com for better security.”
• Use an autoresponder on old Gmail for 14 days with the new contact info and a brief reason: security and better customer service. Use announcement templates to craft a short, clear message that works in email and SMS.

Template: “We’ve moved our bookings & menus to bookings@yourdomain.com to improve security and speed. Please update your records — we’ll forward messages for two weeks.”

Step 9 — Monitor and tighten security (Day 9–30)

After migration, monitoring is critical:

• Enable DMARC aggregate reports to an address you control and review weekly.
• Watch SPF/DKIM pass rates and vendor-sent email headers.
• Turn on account lockout alerts and set up MFA enforcement for all staff accounts.
• Keep the old Gmail accounts in read-only mode for 14–30 days and only delete when confident all traffic is moved.

Rollback plan

Always plan for rollback. If critical systems break after cutover, you must be able to revert MX records and re-enable the old account forwards quickly. Keep the original DNS records and Gmail access until Day 30 at minimum. For broader playbooks on handling platform outages and community migration, see When Platform Drama Drives Installs.

Integrations checklist (shopping, tracking, POS, booking)

Don’t forget automated workflows and app integrations:

• Booking engines — update from personal SMTP to domain SMTP; test confirmation and reminder emails.
• POS and online ordering — ensure order notifications route to orders@ and not a personal Gmail.
• Supplier shopping lists and procurement tools — update invoice delivery addresses to avoid missed invoices.
• Inventory and tracking apps — ensure alerting emails are assigned to an admin mailbox and not a staff Gmail that could be lost when someone leaves. If you have many integrations, treat this like a small engineering audit — our tool sprawl audit approach helps prioritize which integrations to migrate first.

Case study: Bella’s Bistro — a 7-day migration

Bella’s Bistro (35 seats) relied on two personal Gmail accounts for bookings and invoices. After a phishing attempt in November 2025, they planned a secure migration:

1. Day 0: Inventory and backup with Google Takeout.
2. Day 1: Chose a privacy-focused hosted mail + Fastmail Business for 8 mailboxes.
3. Day 2: Lowered TTL and added SPF/DKIM records; created mailboxes and enabled MFA.
4. Day 3: Updated booking engine SMTP and updated public contact info.
5. Day 4: Switched MX at 2 AM; monitored headers and deliverability.
6. Day 5–7: Imported mail, trained staff, turned on DMARC reports.

Result: 100% of bookings continued uninterrupted, phishing attempts reduced, and suppliers updated their records within 7 days. The owner reported fewer missed invoices and a simpler audit trail for payments.

Costs, timelines and realistic expectations

Small restaurants can expect:

• Provider cost: $2–8 per mailbox/month for most business plans; privacy-focused vendors cost more.
• Time: 1–3 days for small setups; up to 2 weeks if many integrations exist.
• Technical help: an IT freelancer or support from your email provider can reduce risk. If your migration touches booking engines and RSVP stores, see a technical case study on migrating event RSVP platforms for lessons on integration testing: Case Study: Moving Your Event RSVPs.

Final security checklist

• Backups created and verified.
• MX, SPF, DKIM added and verified.
• DMARC set to monitoring, move to enforcement after clean reports.
• MFA enforced across accounts.
• All integrations updated (booking, POS, suppliers).
• Communication plan executed for staff, suppliers, and customers.
• Monitoring enabled for 30 days (DMARC, deliverability checks).

Wrapping up: security is customer service

Moving your restaurant’s booking and menu emails off personal or at-risk Gmail accounts is both a security measure and a service upgrade. In 2026, with tighter scrutiny on data access and AI-driven platform features, shifting to a managed, domain-based email system protects bookings, prevents fraud, and keeps communications professional. For advice on messaging products and how platform changes affect your messaging stack, review Future Predictions: Monetization, Moderation and the Messaging Product Stack.

Action plan (what to do first, today)

1. Open your phone and list every email your restaurant uses.
2. Run Google Takeout for any Gmail addresses tied to the restaurant.
3. Pick a provider and gather their MX and TXT record instructions.

If you want help mapping your integrations, creating DNS records, or building the staff communication plan, wholefood.app offers a guided migration checklist and integrations audit tailored for restaurants. If you need a short, practical checklist for the kinds of email announcement and autoresponder messaging you’ll send during migration, our announcement templates resource is a fast reference.

Related Reading

• Gmail AI and Deliverability: What Privacy Teams Need to Know
• Quick Win Templates: Announcement Emails Optimized for Omnichannel Retailers
• Tool Sprawl Audit: A Practical Checklist for Engineering Teams
• Case Study: Moving Your Event RSVPs from Postgres to MongoDB — An Organizer’s Playbook
• Fast Pair Fallout: Are Your Headphones Spying on You? A Step-by-Step Check
• How to Integrate RCS End-to-End Encryption with Credential Issuance Workflows
• SSD Shortages, PLC NAND, and What Storage Trends Mean for Cloud Hosting Costs
• How to Style Jewelry for Cozy At-Home Photoshoots This Winter
• Using Entertainment Event Timelines (Like the Oscars) to Time Your Campaign Budgets