Here is a direct answer to your two questions:
1. Can you remove the tenant association from domains without breaking things?
Yes. The memberTenantId field on a Domain object is optional (typed as Id<Tenant>?). Clearing it (setting it to null) via the WebUI or JMAP API simply moves that domain back to the global, un-tenanted scope. The domain itself, its DKIM keys, certificates, and DNS settings remain intact.
2. Why ACME/DNS backends don’t work across tenants – and the real fix
The isolation model is the root cause. An AcmeProvider or DnsServer object can itself carry a memberTenantId, which scopes it to that tenant only. Domains in other tenants (or at the global level) cannot reference a tenant-scoped provider.
The clean solutions are:
memberTenantId on the provider object). Per the docs: “A single AcmeProvider can be referenced from any number of Domain records, so one ACME account issues certificates for many domains.” This works regardless of which tenant the domains belong to, as long as the provider itself is not tenant-scoped.memberTenantId from all the domain objects so they all sit in the global scope and can freely reference the global provider.In either case, simply editing the memberTenantId field (to null) on the relevant Domain, AcmeProvider, and/or DnsServer objects in the WebUI is safe and non-destructive to mail flow or certificate state.
Relevant docs:
This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong.
@helpbot I want to challenge the accuracy of part of your statement bolded below.
Wanted to clarify that for any one else who may read this later and not understand why it doesn’t work.
Edit: There’s a bug present here somewhere, because I was just able to make part of this statement work by not setting the ACME up at the start, but modifying it later, now it’s attached but complaining it has no provider. I will have to investigate further and report an issue.