--- title: "Migrating from ESET Mail Security to SpamSentinel on HCL Domino | DuoCircle" description: "Step-by-step migration plan for replacing ESET Mail Security for IBM/HCL Domino with SpamSentinel before the July 31, 2026 End of Life. Same-server product swap, no MX changes, no DNS rollback planning." image: "https://www.duocircle.com/images/og-default.png" canonical: "https://www.duocircle.com/email/eset-mail-security-domino-migration-guide/" --- ESET to SpamSentinel · Same-server, no DNS changes # Migration guide. Smallest cutover in the industry. This is the technical playbook for moving from ESET Mail Security for IBM/HCL Domino to SpamSentinel before the July 31, 2026 End of Life. Same architecture, same server, same operational model. No MX changes, no DNS rollback, no gateway introduced to the diagram. The smallest migration the email security industry knows how to ship. [ Request a Quote → ](/email/spamsentinel-quote/) [ See the EOL context ](/email/eset-mail-security-domino-end-of-life/) 3 to 5 weeks end to end 0 DNS or MX changes Fully reversible during pilot migration tracker · eset -> spamsentinel Calendar time 3 to 5 weeks Admin hours 10 to 30 hrs DNS changes 0 Reversibility Full ![SpamSentinel admin console running on HCL Domino, showing real-time spam scanning, macro stripping, and message routing](https://media.mailhop.org/duocircle/admin-console-sm-1779239602365.jpg) The architectural posture ## Nothing about your mail flow has to change ESET Mail Security ran natively on the Domino server. SpamSentinel runs natively on the Domino server. The mail flow is identical: Sender's mail server | v [ MX lookup -> your Domino server ] | v HCL Domino + SpamSentinel installed | | scan, score, quarantine, log v Notes mail file / iNotes / HCL Verse ### What does not change - ✓ MX records and DNS - ✓ Mail-flow diagram - ✓ Operational model (Domino-integrated application) - ✓ The team that runs it ### What does change - → Active scanner (ESET out, SpamSentinel in) - → Headers your Notes rules might key on - → Quarantine UI and release path - → The vendor on the support call ### Deployment specs - **Supported Domino:** HCL Domino 6.5 and newer. Full feature coverage through Domino 14. - **Operating system:** Windows Server 2008 R2 x64 or newer. - **Memory:** 1.5 GB free. - **Disk:** 2.5 GB free. - **Performance posture:** CPU and disk load on the Domino server is typically low. Any modern server already running Domino handles SpamSentinel without issue. ### Install-time references The complete list of core SpamSentinel product components, including required changes to `notes.ini`, `EXTMGR_ADDINS`, Domino services, and mail templates, is on the SpamSentinel support center. [SpamSentinel for Domino product components →](https://maysoft.duocircle.com/support/solutions/articles/5000892862-spamsentinel-for-domino-product-components) A server restart is required at install. Most automated updates after that do not require a post-update restart. Feature mapping ## What ESET did, what SpamSentinel does Before cutover, document what ESET is actually delivering in your environment. This protects you from quietly dropping a feature you depend on and gives your auditors a clean before-and-after. | ESET feature | SpamSentinel equivalent | | --------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Antispam engine | SpamSentinel antispam engine, tunable per environment, with InboxGenius preferred-sender learning to reduce false positives. | | Antiphishing module | SpamSentinel antiphishing, native on Domino, still tuned and still shipped against current campaigns. | | Attachment antimalware | SpamSentinel antimalware scanning, plus built-in macro blocking specifically focused on macro-bearing attachments, one of the most persistent delivery patterns in email-borne malware. | | User-defined rules | Tunable rule engine, content-aware policies, practical knobs for the false-positive cases that actually show up in your environment. | | Per-user quarantine release | Domino-native quarantine and end-user release path. Same operational model. | | Logging and reporting | Domino-native log databases and reports. | **A common discovery during this inventory:** "we use ESET for X" turns out to mean "we use ESET's quarantine UI, but the actual detection has been doing very little extra since 2023." That is useful information, not a problem. SpamSentinel replaces both, with detection that has continued to ship updates. ### Three things SpamSentinel does not do Surfaced here so you do not find them mid-deployment. We answer these the same way on every quote. - **No manual or scheduled rescans of data already at rest in NSF files.** SpamSentinel scans at message arrival. We do not provide an on-demand sweep of historical mail. - **No built-in SIEM integration or log export.** SpamSentinel logs to NSF databases on the Domino server. The documented path to ship those to a SIEM is a custom LotusScript agent against the log NSF. We have customers who have done this and will share what they did. Four phases ## The full migration, week by week A typical small or mid-sized Domino environment runs this in 3 to 5 calendar weeks with 10 to 30 hours of admin time, weighted toward the configuration and validation phase. 01 Week 1 ### Conversation and scoping Request a quote. The right SpamSentinel deployment specs depend on your Domino version, server topology, user count, and a handful of questions a Domino expert needs to ask. You answer those on the form. We come back the same day with a number and a deployment plan, not a discovery-call funnel. - Same-day response, no SDR - Pricing in the reply, not in a downstream sales process - Yes or no, fast 02 Week 2 to 3 ### Install and configure SpamSentinel Install SpamSentinel in a disabled state while ESET continues handling mail scanning. Configure SpamSentinel settings, policies, and rules. No disruption to mail flow during this phase — ESET remains active and unchanged. - SpamSentinel installed but disabled — ESET unchanged - No DNS, no MX, no mail-flow changes - Configure and validate SpamSentinel settings before cutover 03 Week 4 ### Cutover (no DNS involved) Swap the EXTMGR\_ADDINS entry in notes.ini from ESET to SpamSentinel and restart Domino. SpamSentinel is now actively scanning. The cutover requires a Domino restart but no DNS or MX changes. - No DNS or MX changes - No propagation window - Swapping back to ESET is a quick notes.ini edit and a Domino restart 04 Week 5 to 6 ### Decommission ESET After 7 days of clean SpamSentinel operation, remove ESET from the Domino servers. Run the ESET uninstaller, reclaim the CPU and memory, and update your asset inventory and audit documentation. - Keep the ESET quarantine database for 90 days for historical lookups - Remove ESET Mail Security from SOC 2 evidence collection workflows - Add SpamSentinel in its place **Rollback at any point during the pilot:** Swap the EXTMGR\_ADDINS entry in notes.ini back to ESET, restart Domino, and you are back where you started. No mail was misrouted, because the MX records never changed. Domino-specific gotchas ## Five things to check before cutover None of these are showstoppers. All of them are the kind of detail that catches Domino administrators off guard if they are not flagged in advance. The DuoCircle expert walks through each one with you during onboarding. 01 ### Notes mail rules referencing ESET headers If you have Notes mail rules that act on ESET headers like X-EsetResult, they stop firing once ESET is disabled. Audit your rules against the Notes design before cutover. SpamSentinel emits its own headers, and the DuoCircle expert will tell you what they are during onboarding so you can update the rules in advance. 02 ### Mail rule review and consolidation Long-standing anti-spam products accumulate allow-list and block-list entries — at both the sender and domain level — that made sense years ago but no longer reflect current mail flow. These lists can number into the thousands and often include senders who no longer exist, domains that have changed ownership, and blanket domain allows that now create security gaps. Before migrating to SpamSentinel, we review these with you and help decide what is still useful and what is just clutter. Since ESET and SpamSentinel use fundamentally different detection technologies, conditions that caused a false positive under the old product are unlikely to be a factor in the new one — carrying over every legacy rule defeats the purpose of a fresh start. 03 ### Multiple Domino servers handling SMTP Install SpamSentinel on every Domino server listed in your MX records or configured as an SMTP gateway — including any standby servers that could be pressed into service during an outage. A clustered Domino server that only serves as a file replica and never handles SMTP routing does not need SpamSentinel. Configure and validate each mail-handling server individually during the migration. 04 ### SMTP relay identification If your Domino server receives inbound mail through intermediate SMTP relay servers, SpamSentinel needs to know about them. Without this configuration, RBL lookups and SPF evaluation may score the relay server's IP address instead of the original sender's, leading to incorrect spam verdicts. Similarly, internal servers that relay outbound mail through Domino should be excluded from spam scanning to avoid flagging legitimate internal traffic. Identify your relay topology during configuration so SpamSentinel evaluates the right source IPs. 05 ### Custom processing logic SpamSentinel supports administrator-defined processing logic using Domino formula language — the same @formula syntax your team already knows. Run custom rules against each message before or after scanning, or use selection formulas to exclude specific messages from scanning entirely. Not every environment needs this, but for shops with specialized routing or compliance requirements, the extensibility is there without waiting on a vendor feature request. The alternative path ## Switch to a cloud gateway instead? Some shops use the ESET EOL as a trigger for a broader architectural change, moving from on-server scanning to a cloud gateway in front of Domino. That is a legitimate decision. It is bigger than the SpamSentinel path and not always the right call. ### Choose the gateway path if - ✓ Your IT direction is generally moving on-server controls to cloud services. - ✓ You want to keep the option open to switch back-end mail platforms later (gateway stays, smart-host target changes). - ✓ You have a specific gateway feature in mind, for example time-of-click URL protection. ### Probably not, if - × You just want to fix the ESET problem with minimum disruption. - × Your Domino environment is small and well-run. - × You are likely to be off Domino entirely in the next 18 months. Why MX-cutover twice? ### Realistic gateway vendors for Domino All of these run as MX-based gateways and work back-end agnostic, so they sit in front of Domino without platform-specific integration: Proofpoint Essentials Mid-market to enterprise. Quoted. Strong threat intel, recognized brand. Mimecast Mid-market to enterprise. Quoted. Bundles archiving and continuity if you need them. Barracuda Email Protection Mid-market. Reasonable pricing, well-known brand in SMB and mid-market. Trustifi Mid-market. Combines inbound gateway with outbound encryption. Phish Protection (DuoCircle) From $19 per user per month. Multi-engine detection, self-serve trial. **Not relevant for Domino:** API-based products built for Microsoft 365 and Google Workspace (Avanan, Vade, and similar) integrate via Microsoft Graph or the Gmail API and do not have a meaningful HCL Domino integration. A gateway cutover is fundamentally different from a SpamSentinel install: procurement and tenant provisioning (1 to 2 weeks), pilot routing through a subdomain or per-user (1 to 2 weeks), MX cutover with 300-second TTLs and 48 to 72 hours of monitoring, lock Domino's SMTP inbound to only accept mail from the gateway IPs, decommission ESET. Total calendar time: 4 to 8 weeks. Reversible at the DNS layer if needed. [See the full vendor comparison →](/email/eset-mail-security-domino-replacement-comparison/) What to do next ## Three doors, pick the one that fits **Taking the on-server path (what we recommend for most Domino shops):** [request a SpamSentinel quote](/email/spamsentinel-quote/). Same-day response from an expert who has actually deployed SpamSentinel on Domino. We tell you yes or no quickly and line up the deployment if it is yes. **Taking the gateway path:** see the [replacement comparison](/email/eset-mail-security-domino-replacement-comparison/). We will tell you honestly when one of our competitors is the better fit for your shop. **Not sure which is right for you:** use the quote form anyway and tell us in the notes. A short conversation with a Domino expert saves weeks of evaluating against the wrong shortlist. ## Request a SpamSentinel quote today, not in July. Tell us your Domino version, your user count, and your existing setup. We come back the same day with a real number and a deployment plan. The SpamSentinel path runs 3 to 5 weeks and comfortably fits inside the ESET EOL window. [Request a Quote→](/email/spamsentinel-quote/) ```json {"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}} ``` ```json [{"@context":"https://schema.org","@type":"TechArticle","headline":"Migrating from ESET Mail Security to SpamSentinel on HCL Domino","description":"Step-by-step migration plan for replacing ESET Mail Security for IBM/HCL Domino with SpamSentinel before the July 31, 2026 End of Life. Same-server, no MX changes.","url":"https://www.duocircle.com/email/eset-mail-security-domino-migration-guide/","author":{"@type":"Organization","name":"DuoCircle"}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"DuoCircle","item":"https://www.duocircle.com"},{"@type":"ListItem","position":2,"name":"HCL Notes / Domino","item":"https://www.duocircle.com/email/lotus-notes-email-security/"},{"@type":"ListItem","position":3,"name":"ESET Migration Guide","item":"https://www.duocircle.com/email/eset-mail-security-domino-migration-guide/"}]}] ```