[New Feature] BYO SMTP — tenant-owned transactional email (Creator Plus + Sovereign)

What: Let tenant admins configure their own SMTP server for outbound transactional email (welcome, password reset, RSVP reminders, digest, etc.). Per-tenant SMTP host, port, username, password, encryption (STARTTLS/SSL), and From address. Mobieus continues to relay if nothing is configured. Gated to Creator Plus and Sovereign tiers.

Who benefits: Tenants who want all outbound email under their own domain reputation, want their own SPF/DKIM/DMARC alignment, want to use their existing email provider (Postmark, SendGrid, Amazon SES, Mailgun, Fastmail, Google Workspace SMTP, etc.), or who have compliance reasons to keep transactional mail off shared infrastructure.

Why now: Higher-tier tenants increasingly ask for full email control. Today every tenant routes through Mobieus' shared exim4 relay on srv1. That works for deliverability at small scale but caps the reputation tenants can build on their own domain and forces them to trust our IP. BYO SMTP gives the upper tiers the same kind of ownership story we already have for custom domains and BYO Anthropic key.

Dependencies:

• Per-tenant .env + tenant_email_settings table (new) to hold SMTP credentials encrypted at rest. Reuses App\Services\SecretCipher already used for the Stripe key (ADR-0020).
• App\Services\MailService already wraps PHPMailer; add a per-tenant SMTP transport variant alongside the default platform relay.
• Admin UI: /admin/email/smtp with host/port/user/pass/encryption fields, a "Send test email" button, and a deliverability hint card (link to /docs/email-setup with SPF/DKIM/DMARC examples).
• Plan gate: FeatureCatalog::requireTier('byo_smtp', ['creator_plus', 'sovereign']).
• Test plan: connection test on save, automatic failover to platform relay if BYO SMTP fails twice in a row + admin alert email.

Hard requirements:

• SMTP password stored encrypted via SecretCipher; never returned to the browser; admin UI shows last-4 only when the password is set.
• Outbound connection tested with a short timeout before save; failure is surfaced inline (not silently saved).
• Per-message retry policy preserved: 3 attempts with exponential backoff, then dead-letter queue with admin notification.
• From address validated against the tenant's verified domain (Cloudflare DNS verification, same flow as custom-domain). Prevents spoofing from arbitrary domains.
• Audit log entry on every save (admin, tenant, host, masked credentials).

Recommended order: After AI Community Manager Phase 0 ships (week 13+). Independent of any other roadmap item.

Complexity: 1-2 weeks. ~2 days for the model + cipher integration, ~3 days for the admin UI + test-send flow, ~2 days for failover + audit + plan-gate + DNS-verification of From domain, ~1 day docs.

Priority: high (Pro/Creator Plus/Sovereign retention)

Tier gate: Creator Plus + Sovereign only. Pro tenants continue to use the shared relay; this is a deliberate upsell hook for tenants who want full email ownership.