Migrate Exchange to Fastmail: A Sysadmin's Step-by-Step Plan

You are leaving Exchange because the renewal numbers stopped making sense, and you picked Fastmail because the team wanted something simple, ad-free, and not run by an advertising company. Fair. The migration itself is more straightforward than Exchange-to-Microsoft-365, but it has its own set of edges: no native EWS connector, no Outlook MAPI compatibility on the destination, and a few authentication quirks around app passwords that catch people out at 11pm on cutover night. Here is the full playbook.

Why Exchange to Fastmail makes sense#

For small to mid-sized organisations that do not need the Office stack, Fastmail offers a flat per-user price, real privacy posture, and IMAP/JMAP-first design. You give up the deep Outlook integration and any Exchange-specific workflows (transport rules, journaling, retention policies bound to Exchange tags), but you remove an entire Windows server estate from the asset list.

The trade-offs to think about before you commit:

• No MAPI. Outlook still works against Fastmail over IMAP, but you lose calendar and contact sync inside Outlook unless you add a CalDAV/CardDAV bridge.
• No EWS. Anything that talked to your Exchange via EWS (mobile MDM connectors, archiving appliances, CRM plugins) needs new integration paths.
• No public folders. If you depended on public folder hierarchies for shared workflows, migrate that content to shared Fastmail folders or to a separate document store.

If any of those are show-stoppers, look at our Exchange to Google Workspace walkthrough instead, since Workspace has closer Exchange-feature parity.

Audit before you move#

Run this against the Exchange Management Shell:

Get-Mailbox -ResultSize Unlimited |
  Select-Object Identity, RecipientTypeDetails, @{n='SizeGB';e={(Get-MailboxStatistics $_).TotalItemSize.Value.ToBytes()/1GB}}, @{n='Items';e={(Get-MailboxStatistics $_).ItemCount}} |
  Sort-Object SizeGB -Descending |
  Export-Csv exchange-audit.csv -NoTypeInformation

That CSV is your project tracker. The top 10 percent of mailboxes by size will account for half your migration time. Move them first, in parallel with the bulk batch.

Also pull:

• All Get-InboxRule output per user (server-side rules will not survive)
• Distribution group membership for recreation in Fastmail
• Shared mailbox list (treat each as a regular user migration, then convert later)
• Resource mailboxes (room and equipment — recreate manually in Fastmail)

Enabling IMAP on Exchange#

Most production Exchange deployments have IMAP disabled by default. Turn it on:

Get-Service MSExchangeIMAP4 | Set-Service -StartupType Automatic
Start-Service MSExchangeIMAP4
Start-Service MSExchangeIMAP4BE

Then confirm the endpoint:

Get-ImapSettings | Select-Object Server, LoginType, ExternalConnectionSettings

Set the login type to SecureLogin so credentials are not passed in cleartext. Your migration tool or Fastmail's wizard authenticates over port 993 with TLS.

Create a service account with Full Access permissions across all mailboxes you intend to migrate:

Get-Mailbox -ResultSize Unlimited | Add-MailboxPermission `
  -User fastmail-migration@yourdomain.com -AccessRights FullAccess `
  -InheritanceType All -AutoMapping:$false

This lets one credential pull every mailbox without prompting users for passwords. If your security policy forbids broad service accounts, you fall back to per-user app passwords, which means a lot more rows in your migration tracker.

Fastmail-side setup#

Add your domain in Fastmail's admin console under Settings → Domains → Add domain. You will publish:

• An MX record (do not change it yet — point it during cutover)
• DKIM records (publish now so they propagate)
• SPF including fm1.fastmail.com
• A DMARC record at p=none initially

Create users in bulk via the admin CSV upload. Set strong temporary passwords. Once two-factor is enabled, each user generates an app password for IMAP and SMTP clients — bake this into your end-user communications, because it is the single biggest source of help-desk tickets post-cutover.

For the migration itself, Fastmail's "Import from another provider" wizard supports IMAP-source migrations. Alternatively, run a desktop IMAP-to-IMAP tool that authenticates against your Exchange service account on one side and per-user Fastmail credentials on the other.

The migration itself#

1. Pilot with three accounts

   Choose a small mailbox (under 2 GB), a medium one (5 to 10 GB), and a large one (over 20 GB). Run the migration end-to-end and validate before moving anyone else. This tells you your realistic throughput numbers and surfaces any folder-name issues unique to your tenancy.

2. Batch the rest in waves of 20 to 30

   Fastmail will accept more concurrent imports than this, but Exchange will start throwing Too many simultaneous connections if you push past 30 IMAP sessions. Watch the Exchange Performance Monitor counter MSExchangeImap4\Active Connections.

3. Monitor for errors

   Common ones: AUTHENTICATIONFAILED (service account permissions did not propagate), Folder UTF-7 conversion error (non-ASCII folder names), Message too large for destination (Fastmail's per-message ceiling is 70 MB by default).

4. Export calendars and contacts separately

   Per user, export the calendar as ICS and contacts as vCard from OWA. Import into Fastmail's calendar and address book. This is manual; script the export side from Exchange if you have more than 50 users.

5. Run delta syncs

   Run a delta sync 24 hours before cutover and a final one 1 hour after the MX change, to catch anything in flight.

Authentication realities#

Fastmail does not speak NTLM, Kerberos, or any Microsoft-flavoured auth. Everything is username plus password plus app password (when 2FA is enabled). This matters in two practical ways.

First, your migration tool needs to handle per-user passwords on the destination side, even when the source side uses a single service account. Most desktop IMAP tools handle this with a CSV of source-to-destination mappings; cloud migration services often require uploading destination credentials, which is a security posture some shops will not accept.

Second, after cutover, every IMAP client needs a fresh app password. Outlook, Apple Mail, mobile clients — all need reconfiguration. Plan a 48-hour help-desk surge.

Cutover sequence#

T-7 days: send the first comms email to users, explaining the date and time.

T-48 hours: drop MX TTL to 300 seconds.

T-24 hours: run a full delta sync. Snapshot the Exchange mailbox database in case you need to roll back.

T-2 hours: send the second comms email — "switching at 9pm tonight, log out of Outlook, do not send mail."

T-0: change MX to Fastmail's published values. Verify globally via dig MX yourdomain.com @8.8.8.8 and @1.1.1.1.

T+30 minutes: send a test from a Gmail address. It should land in Fastmail. Reply from Fastmail — it should arrive.

T+90 minutes: run the final delta sync to catch anything that hit Exchange during MX propagation.

T+24 hours: confirm SPF/DKIM/DMARC alignment by sending a test from each user to a Google Postmaster Tools-monitored address.

Outlook reconfiguration#

Outlook 2016, 2019, 2021, and the Microsoft 365 desktop versions all work against Fastmail over IMAP, but you must:

• Remove the existing Exchange profile completely (do not just add a new account).
• Add a new profile in Control Panel → Mail (Microsoft Outlook).
• Configure manually: incoming imap.fastmail.com:993 SSL, outgoing smtp.fastmail.com:465 SSL.
• Use the user's email address as the username; password is the app password, not the Fastmail account password.

If you push Outlook profiles via Group Policy or Intune, update your XML profile templates before cutover.

For calendar and contacts, install the Fastmail CalDAV/CardDAV connector for Outlook or move users to Fastmail's web UI for those workflows. There is no MAPI substitute.

Where Mailbox Taxi fits#

Fastmail's own importer handles clean, full-mailbox transfers competently. It is less helpful for filtered migrations (date ranges, folder subsets) and for re-running failed migrations on specific users without restarting from scratch.

Mailbox Taxi runs locally on Windows, Mac, or Linux, speaks IMAP to both Exchange and Fastmail, and gives you per-folder and per-date-range control. You can run the bulk migration through Fastmail's importer and use a desktop tool for the messy outliers without uploading credentials anywhere.

If your team also needs to occasionally pull a Fastmail mailbox into a Gmail archive (post-acquisition scenarios, departing employees), our Fastmail to Gmail walkthrough covers that flow.

Common errors and fixes#

AUTHENTICATIONFAILED — service account Full Access did not propagate. Re-run the permission grant and wait ten minutes. On Fastmail's side, confirm the app password is correctly entered and 2FA is set up.

Too many simultaneous connections — you are past Exchange's IMAP throttle. Reduce concurrent migrations to 10 or fewer.

Folder UTF-7 conversion error — folder names contain non-ASCII characters that IMAP UTF-7 cannot encode. Rename or remove via OWA before migrating.

Message too large for destination — items over Fastmail's 70 MB per-message ceiling. Move large messages out of the migration scope or export them separately.

STARTTLS handshake failed — Exchange's IMAP service is not presenting a valid TLS certificate, or your firewall is intercepting port 993. Confirm the certificate via openssl s_client -connect mail.yourdomain.com:993.

The complete email migration guide has a fuller error appendix that applies across providers.

Post-cutover validation#

Three checks in the first week:

1. Item count delta: compare Fastmail's per-folder counts against your Get-MailboxStatistics baseline. Anything more than 1 percent variance deserves investigation.
2. DNS hygiene: confirm SPF and DKIM via [MXToolbox] or the equivalent, and watch DMARC reports for the first month.
3. Calendar smoke test: per user, confirm the imported ICS items rendered correctly with time zones intact.

After 30 days of stable Fastmail operation, decommission the Exchange transport role. Keep mailbox role for another 60 to 90 days as a cold archive in case you need to retrieve something a user "definitely deleted."

For an end-to-end view of how this fits into a broader migration program (especially if Fastmail is one stop in a multi-step plan), the pillar Exchange migration guide maps every Exchange-source pathway. And for teams whose mental model of "what good looks like" is still forming, the complete email migration guide is the right starting point.