diff --git a/doc/release-notes/7424-mailsession.md b/doc/release-notes/7424-mailsession.md
new file mode 100644
index 00000000000..67c876f7ad5
--- /dev/null
+++ b/doc/release-notes/7424-mailsession.md
@@ -0,0 +1,24 @@
+## Simplified SMTP configuration
+
+With this release, we deprecate the usage of `asadmin create-javamail-resource` to configure Dataverse to send mail using your SMTP server and provide a simplified, standard alternative using JVM options or MicroProfile Config.
+
+At this point, no action is required if you want to keep your current configuration.
+Warnings will show in your server logs to inform and remind you about the deprecation.
+A future major release of Dataverse may remove this way of configuration.
+
+Please do take the opportunity to update your SMTP configuration. Details can be found in section of the Installation Guide starting with the [SMTP/Email Configuration](https://guides.dataverse.org/en/6.2/installation/config.html#smtp-email-configuration) section of the Installation Guide.
+
+Once reconfiguration is complete, you should remove legacy, unused config. First, run `asadmin delete-javamail-resource mail/notifyMailSession` as described in the [6.1 guides](https://guides.dataverse.org/en/6.1/installation/installation-main.html#mail-host-configuration-authentication). Then run `curl -X DELETE http://localhost:8080/api/admin/settings/:SystemEmail` as this database setting has been replace with `dataverse.mail.system-email` as described below.
+
+Please note: as there have been problems with email delivered to SPAM folders when the "From" within mail envelope and the mail session configuration didn't match (#4210), as of this version the sole source for the "From" address is the setting `dataverse.mail.system-email` once you migrate to the new way of configuration. 
+
+List of options added:
+- dataverse.mail.system-email
+- dataverse.mail.mta.host
+- dataverse.mail.mta.port
+- dataverse.mail.mta.ssl.enable
+- dataverse.mail.mta.auth
+- dataverse.mail.mta.user
+- dataverse.mail.mta.password
+- dataverse.mail.mta.allow-utf8-addresses
+- Plus many more for advanced usage and special provider requirements. See [configuration guide for a full list](https://guides.dataverse.org/en/6.2/installation/config.html#dataverse-mail-mta).
\ No newline at end of file
diff --git a/doc/sphinx-guides/source/container/app-image.rst b/doc/sphinx-guides/source/container/app-image.rst
index caf4aadbf7e..e1f5517629d 100644
--- a/doc/sphinx-guides/source/container/app-image.rst
+++ b/doc/sphinx-guides/source/container/app-image.rst
@@ -134,19 +134,6 @@ In addition, the application image provides the following tunables:
 
         1. Simply pick a JVM option from the list and replace any ``.`` with ``_``.
         2. Replace any ``-`` in the option name with ``__``.
-    * - ``DATAVERSE_MAIL_HOST``
-      - ``smtp``
-      - String
-      - A hostname (w/o port!) where to reach a Mail MTA on port 25.
-    * - ``DATAVERSE_MAIL_USER``
-      - ``dataversenotify``
-      - String
-      - A username to use with the Mail MTA
-    * - ``DATAVERSE_MAIL_FROM``
-      - ``dataverse@localhost``
-      - Mail address
-      - The "From" field for all outbound mail. Make sure to set :ref:`systemEmail` to the same value or no mail will
-        be sent.
 
 
 Note that the script ``init_2_configure.sh`` will apply a few very important defaults to enable quick usage
diff --git a/doc/sphinx-guides/source/installation/config.rst b/doc/sphinx-guides/source/installation/config.rst
index 41388f7aa33..207b6acb305 100644
--- a/doc/sphinx-guides/source/installation/config.rst
+++ b/doc/sphinx-guides/source/installation/config.rst
@@ -88,6 +88,51 @@ See the :ref:`payara` section of :doc:`prerequisites` for details and init scrip
 
 Related to this is that you should remove ``/root/.payara/pass`` to ensure that Payara isn't ever accidentally started as root. Without the password, Payara won't be able to start as root, which is a good thing.
 
+.. _secure-password-storage:
+
+Secure Password Storage
+^^^^^^^^^^^^^^^^^^^^^^^
+
+In development or demo scenarios, we suggest not to store passwords in files permanently.
+We recommend the use of at least environment variables or production-grade mechanisms to supply passwords.
+
+In a production setup, permanently storing passwords as plaintext should be avoided at all cost.
+Environment variables are dangerous in shared environments and containers, as they may be easily exploited; we suggest not to use them.
+Depending on your deployment model and environment, you can make use of the following techniques to securely store and access passwords.
+
+**Password Aliases**
+
+A `password alias`_ allows you to have a plaintext reference to an encrypted password stored on the server, with the alias being used wherever the password is needed.
+This method is especially useful in a classic deployment, as it does not require any external secrets management.
+
+Password aliases are consumable as a MicroProfile Config source and can be referrenced by their name in a `property expression`_.
+You may also reference them within a `variable substitution`_, e.g. in your ``domain.xml``.
+
+Creation example for an alias named *my.alias.name*:
+
+.. code-block:: shell
+
+  echo "AS_ADMIN_ALIASPASSWORD=changeme" > /tmp/p.txt
+  asadmin create-password-alias --passwordfile "/tmp/p.txt" "my.alias.name"
+  rm /tmp/p.txt
+
+Note: omitting the ``--passwordfile`` parameter allows creating the alias in an interactive fashion with a prompt.
+
+**Secrets Files**
+
+Payara has a builtin MicroProfile Config source to consume values from files in a directory on your filesystem.
+This `directory config source`_ is most useful and secure with external secrets management in place, temporarily mounting cleartext passwords as files.
+Examples are Kubernetes / OpenShift `Secrets <https://kubernetes.io/docs/concepts/configuration/secret/>`_ or tools like `Vault Agent <https://developer.hashicorp.com/vault/docs/agent-and-proxy/agent>`_.
+
+Please follow the `directory config source`_ documentation to learn about its usage.
+
+**Cloud Providers**
+
+Running Dataverse on a cloud platform or running an external secret management system like `Vault <https://developer.hashicorp.com/vault>`_ enables accessing secrets without any intermediate storage of cleartext.
+Obviously this is the most secure option for any deployment model, but it may require more resources to set up and maintain - your mileage may vary.
+
+Take a look at `cloud sources`_ shipped with Payara to learn about their usage.
+
 Enforce Strong Passwords for User Accounts
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
@@ -673,6 +718,20 @@ To enable bearer tokens, you must install and configure Keycloak (for now, see :
 
 You can test that bearer tokens are working by following the example under :ref:`bearer-tokens` in the API Guide.
 
+.. _smtp-config:
+
+SMTP/Email Configuration
+------------------------
+
+The installer prompts you for some basic options to configure Dataverse to send email using your SMTP server, but in many cases, extra configuration may be necessary.
+
+Make sure the :ref:`dataverse.mail.system-email` has been set. Email will not be sent without it. A hint will be logged about this fact.
+If you want to separate system email from your support team's email, take a look at :ref:`dataverse.mail.support-email`.
+
+Then check the list of commonly used settings at the top of :ref:`dataverse.mail.mta`.
+
+If you have trouble, consider turning on debugging with :ref:`dataverse.mail.debug`.
+
 .. _database-persistence:
 
 Database Persistence
@@ -688,16 +747,8 @@ Basic Database Settings
 1. Any of these settings can be set via system properties (see :ref:`jvm-options` starting at :ref:`dataverse.db.name`), environment variables or other
    MicroProfile Config mechanisms supported by the app server.
    `See Payara docs for supported sources <https://docs.payara.fish/community/docs/documentation/microprofile/config/README.html#config-sources>`_.
-2. Remember to protect your secrets. For passwords, use an environment variable (bare minimum), a password alias named the same
-   as the key (OK) or use the "dir config source" of Payara (best).
-
-   Alias creation example:
-
-   .. code-block:: shell
-
-      echo "AS_ADMIN_ALIASPASSWORD=changeme" > /tmp/p.txt
-      asadmin create-password-alias --passwordfile /tmp/p.txt dataverse.db.password
-      rm /tmp/p.txt
+2. Remember to protect your secrets.
+   See :ref:`secure-password-storage` for more information.
 
 3. Environment variables follow the key, replacing any dot, colon, dash, etc. into an underscore "_" and all uppercase
    letters. Example: ``dataverse.db.host`` -> ``DATAVERSE_DB_HOST``
@@ -926,6 +977,8 @@ Then create a password alias by running (without changes):
 
 The second command will trigger an interactive prompt asking you to input your Swift password.
 
+Note: you may choose a different way to secure this password, depending on your use case. See :ref:`secure-password-storage` for more options.
+
 Second, update the JVM option ``dataverse.files.storage-driver-id`` by running the delete command:
 
 ``./asadmin $ASADMIN_OPTS delete-jvm-options "\-Ddataverse.files.storage-driver-id=file"``
@@ -1195,9 +1248,8 @@ Optionally, you may provide static credentials for each S3 storage using MicroPr
 You may provide the values for these via any `supported MicroProfile Config API source`_.
 
 **WARNING:**
-
 *For security, do not use the sources "environment variable" or "system property" (JVM option) in a production context!*
-*Rely on password alias, secrets directory or cloud based sources instead!*
+*Rely on password alias, secrets directory or cloud based sources as described at* :ref:`secure-password-storage` *instead!*
 
 **NOTE:**
 
@@ -2296,15 +2348,9 @@ dataverse.db.password
 
 The PostgreSQL users password to connect with.
 
-Preferrably use a JVM alias, as passwords in environment variables aren't safe.
+See :ref:`secure-password-storage` to learn about options to securely store this password.
 
-.. code-block:: shell
-
-  echo "AS_ADMIN_ALIASPASSWORD=change-me-super-secret" > /tmp/password.txt
-  asadmin create-password-alias --passwordfile /tmp/password.txt dataverse.db.password
-  rm /tmp/password.txt
-
-Can also be set via *MicroProfile Config API* sources, e.g. the environment variable ``DATAVERSE_DB_PASSWORD``.
+Can also be set via *MicroProfile Config API* sources, e.g. the environment variable ``DATAVERSE_DB_PASSWORD`` (although you shouldn't use environment variables for passwords).
 
 dataverse.db.host
 +++++++++++++++++
@@ -2551,14 +2597,7 @@ Once you have a username from DataCite, you can enter it like this:
 Legacy Single PID Provider: dataverse.pid.datacite.password
 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 
-Once you have a password from your provider, you should create a password alias.
-This avoids storing it in clear text, although you could use a JVM option `to reference
-a different place <https://docs.payara.fish/community/docs/Technical%20Documentation/Payara%20Server%20Documentation/Server%20Configuration%20And%20Management/Configuration%20Options/Variable%20Substitution/Types%20of%20Variables.html>`__.
-
-``./asadmin create-password-alias dataverse.pid.datacite.password``
-
-It will allow you to enter the password while not echoing the characters.
-To manage these, read up on `Payara docs about password aliases <https://docs.payara.fish/community/docs/Technical%20Documentation/Payara%20Server%20Documentation/Server%20Configuration%20And%20Management/Configuration%20Options/Password%20Aliases.html#asadmin-commands-password-aliases>`__.
+Once you have a password from your provider, you should create a password alias called *dataverse.pid.datacite.password* or use another method described at :ref:`secure-password-storage` to safeguard it.
 
 **Notes:**
 
@@ -2569,7 +2608,7 @@ To manage these, read up on `Payara docs about password aliases <https://docs.pa
   environment variables for passwords).
 - This setting was formerly known as ``doi.password`` and has been renamed.
   You should delete the old JVM option and the wrapped password alias, then recreate
-  with new alias name as above.
+  as described above.
 
 
 
@@ -2603,6 +2642,7 @@ Legacy Single PID Provider: dataverse.pid.handlenet.key.passphrase
 Related to :ref:`Handle.Net PID provider usage <pids-handle-configuration>`.
 
 Provide a passphrase to decrypt the :ref:`private key file <dataverse.pid.handlenet.key.path>`.
+See :ref:`secure-password-storage` for ways to do this securely.
 
 The key file may (and should) be encrypted with a passphrase (used for
 encryption with AES-128). See also chapter 1.4 "Authentication" of the
@@ -2610,10 +2650,10 @@ encryption with AES-128). See also chapter 1.4 "Authentication" of the
 
 Can also be set via *MicroProfile Config API* sources, e.g. the environment
 variable ``DATAVERSE_PID_HANDLENET_KEY_PASSPHRASE`` (although you shouldn't use
-environment variables for passwords). This setting was formerly known as
-``dataverse.handlenet.admprivphrase`` and has been renamed. You should delete
-the old JVM option and the wrapped password alias, then recreate as shown for
-:ref:`dataverse.pid.datacite.password` but with this option as alias name.
+environment variables for passwords).
+
+This setting was formerly known as ``dataverse.handlenet.admprivphrase`` and has been renamed.
+You should delete the old JVM option and the wrapped password alias, then recreate as shown for :ref:`dataverse.pid.datacite.password` but with this option as alias name.
 
 
 .. _dataverse.pid.handlenet.index:
@@ -2807,20 +2847,11 @@ The key used to sign a URL is created from the API token of the creating user pl
 signature-secret makes it impossible for someone who knows an API token from forging signed URLs and provides extra security by 
 making the overall signing key longer.
 
-Since the signature-secret is sensitive, you should treat it like a password. Here is an example how to set your shared secret 
-with the secure method "password alias":
-
-.. code-block:: shell
-
-  echo "AS_ADMIN_ALIASPASSWORD=change-me-super-secret" > /tmp/password.txt
-  asadmin create-password-alias --passwordfile /tmp/password.txt dataverse.api.signature-secret
-  rm /tmp/password.txt
-
-Can also be set via any `supported MicroProfile Config API source`_, e.g. the environment variable
-``DATAVERSE_API_SIGNATURE_SECRET``.
+**WARNING**:
+*Since the signature-secret is sensitive, you should treat it like a password.*
+*See* :ref:`secure-password-storage` *to learn about ways to safeguard it.*
 
-**WARNING:** For security, do not use the sources "environment variable" or "system property" (JVM option) in a
-production context! Rely on password alias, secrets directory or cloud based sources instead!
+Can also be set via any `supported MicroProfile Config API source`_, e.g. the environment variable ``DATAVERSE_API_SIGNATURE_SECRET`` (although you shouldn't use environment variables for passwords) .
 
 .. _dataverse.api.allow-incomplete-metadata:
 
@@ -2853,27 +2884,174 @@ See :ref:`discovery-sign-posting` for details.
 
 Can also be set via any `supported MicroProfile Config API source`_, e.g. the environment variable ``DATAVERSE_SIGNPOSTING_LEVEL1_ITEM_LIMIT``.
 
+.. _systemEmail:
+.. _dataverse.mail.system-email:
+
+dataverse.mail.system-email
++++++++++++++++++++++++++++
+
+This is the email address that "system" emails are sent from such as password reset links, notifications, etc.
+It replaces the database setting :ref:`legacySystemEmail` since Dataverse 6.2.
+
+**WARNING**: Your Dataverse installation will not send mail without this setting in place.
+
+Note that only the email address is required, which you can supply without the ``<`` and ``>`` signs, but if you include the text, it's the way to customize the name of your support team, which appears in the "from" address in emails as well as in help text in the UI.
+If you don't include the text, the installation name (see :ref:`Branding Your Installation`) will appear in the "from" address.
+In case you want your system email address to of no-reply style, have a look at :ref:`dataverse.mail.support-email` setting, too.
+
+Please note that if you're having any trouble sending email, you can refer to "Troubleshooting" under :doc:`installation-main`.
+
+Can also be set via any `supported MicroProfile Config API source`_, e.g. the environment variable ``DATAVERSE_MAIL_SYSTEM_EMAIL``.
+
+See also :ref:`smtp-config`.
+
+.. _dataverse.mail.support-email:
+
 dataverse.mail.support-email
 ++++++++++++++++++++++++++++
 
-This provides an email address distinct from the :ref:`systemEmail` that will be used as the email address for Contact Forms and Feedback API. This address is used as the To address when the Contact form is launched from the Support entry in the top navigation bar and, if configured via :ref:`dataverse.mail.cc-support-on-contact-email`, as a CC address when the form is launched from a Dataverse/Dataset Contact button.
-This allows configuration of a no-reply email address for :ref:`systemEmail` while allowing feedback to go to/be cc'd to the support email address, which would normally accept replies. If not set, the :ref:`systemEmail` is used for the feedback API/contact form email.
+This provides an email address distinct from the :ref:`systemEmail` that will be used as the email address for Contact Forms and Feedback API.
+This address is used as the To address when the Contact form is launched from the Support entry in the top navigation bar and, if configured via :ref:`dataverse.mail.cc-support-on-contact-email`, as a CC address when the form is launched from a Dataverse/Dataset Contact button.
+This allows configuration of a no-reply email address for :ref:`systemEmail` while allowing feedback to go to/be cc'd to the support email address, which would normally accept replies.
+If not set, the :ref:`systemEmail` is used for the feedback API/contact form email.
 
-Note that only the email address is required, which you can supply without the ``<`` and ``>`` signs, but if you include the text, it's the way to customize the name of your support team, which appears in the "from" address in emails as well as in help text in the UI. If you don't include the text, the installation name (see :ref:`Branding Your Installation`) will appear in the "from" address.
+Note that only the email address is required, which you can supply without the ``<`` and ``>`` signs, but if you include the text, it's the way to customize the name of your support team, which appears in the "from" address in emails as well as in help text in the UI.
+If you don't include the text, the installation name (see :ref:`Branding Your Installation`) will appear in the "from" address.
 
 Can also be set via any `supported MicroProfile Config API source`_, e.g. the environment variable ``DATAVERSE_MAIL_SUPPORT_EMAIL``.
 
+See also :ref:`smtp-config`.
+
 .. _dataverse.mail.cc-support-on-contact-email:
 
 dataverse.mail.cc-support-on-contact-email
 ++++++++++++++++++++++++++++++++++++++++++
 
-If this setting is true, the contact forms and feedback API will cc the system (:SupportEmail if set, :SystemEmail if not) when sending email to the collection, dataset, or datafile contacts.
+If this boolean setting is true, the contact forms and feedback API will cc the system (``dataverse.mail.support-mail`` if set, ``dataverse.mail.system-email`` if not) when sending email to the collection, dataset, or datafile contacts.
 A CC line is added to the contact form when this setting is true so that users are aware that the cc will occur.
 The default is false.
 
 Can also be set via *MicroProfile Config API* sources, e.g. the environment variable ``DATAVERSE_MAIL_CC_SUPPORT_ON_CONTACT_EMAIL``.
 
+See also :ref:`smtp-config`.
+
+.. _dataverse.mail.debug:
+
+dataverse.mail.debug
+++++++++++++++++++++
+
+When this boolean setting is true, sending an email will generate more verbose logging, enabling you to analyze mail delivery malfunctions.
+Defaults to ``false``.
+
+Can also be set via *MicroProfile Config API* sources, e.g. the environment variable ``DATAVERSE_MAIL_DEBUG``.
+
+See also :ref:`smtp-config`.
+
+.. _dataverse.mail.mta:
+
+dataverse.mail.mta.*
+++++++++++++++++++++
+
+The following options allow you to configure a target Mail Transfer Agent (MTA) to be used for sending emails to users.
+Be advised: as the mail server connection (session) is cached once created, you need to restart Payara when applying configuration changes.
+
+All can also be set via any `supported MicroProfile Config API source`_, e.g. the environment variable ``DATAVERSE_MAIL_MTA_HOST``.
+(For environment variables: simply replace "." and "-" with "_" and write as all caps.)
+
+The following table describes the most important settings commonly used.
+
+.. list-table::
+    :widths: 15 60 25
+    :header-rows: 1
+    :align: left
+
+    * - Setting Key
+      - Description
+      - Default Value
+    * - ``dataverse.mail.mta.host``
+      - The SMTP server to connect to.
+      - *No default*
+    * - ``dataverse.mail.mta.port``
+      - The SMTP server port to connect to. (Common are ``25`` for plain, ``587`` for SSL, ``465`` for legacy SSL)
+      - ``25``
+    * - ``dataverse.mail.mta.ssl.enable``
+      - Enable if your mail provider uses SSL.
+      - ``false``
+    * - ``dataverse.mail.mta.auth``
+      - If ``true``, attempt to authenticate the user using the AUTH command.
+      - ``false``
+    * - ``dataverse.mail.mta.user``
+      - The username to use in an AUTH command.
+      - *No default*
+    * - ``dataverse.mail.mta.password``
+      - The password to use in an AUTH command. (Might be a token when using XOAUTH2 mechanism)
+      - *No default*
+    * - ``dataverse.mail.mta.allow-utf8-addresses``
+      - If set to ``true``, UTF-8 strings are allowed in message headers, e.g., in addresses.
+        This should only be set if the mail server also supports UTF-8.
+        (Quoted from `Jakarta Mail Javadoc <https://jakarta.ee/specifications/mail/2.1/apidocs/jakarta.mail/jakarta/mail/internet/package-summary>`_)
+        Setting to ``false`` will also make mail address validation in UI/API fail on UTF-8 chars.
+      - ``true``
+
+**WARNING**:
+*For security of your password use only safe ways to store and access it.*
+*See* :ref:`secure-password-storage` *to learn about your options.*
+
+Find below a list of even more options you can use to configure sending mails.
+Detailed description for every setting can be found in the table included within the `Jakarta Mail Documentation <https://eclipse-ee4j.github.io/angus-mail/docs/api/org.eclipse.angus.mail/org/eclipse/angus/mail/smtp/package-summary.html>`_.
+(Simply replace ``dataverse.mail.mta.`` with ``mail.smtp.``.)
+
+* Timeouts:
+    ``dataverse.mail.mta.connectiontimeout``,
+    ``dataverse.mail.mta.timeout``,
+    ``dataverse.mail.mta.writetimeout``
+* SSL/TLS:
+    ``dataverse.mail.mta.starttls.enable``,
+    ``dataverse.mail.mta.starttls.required``,
+    ``dataverse.mail.mta.ssl.checkserveridentity``,
+    ``dataverse.mail.mta.ssl.trust``,
+    ``dataverse.mail.mta.ssl.protocols``,
+    ``dataverse.mail.mta.ssl.ciphersuites``
+* Proxy Connection:
+    ``dataverse.mail.mta.proxy.host``,
+    ``dataverse.mail.mta.proxy.port``,
+    ``dataverse.mail.mta.proxy.user``,
+    ``dataverse.mail.mta.proxy.password``,
+    ``dataverse.mail.mta.socks.host``,
+    ``dataverse.mail.mta.socks.port``
+* SMTP EHLO command details:
+    ``dataverse.mail.mta.ehlo``,
+    ``dataverse.mail.mta.localhost``,
+    ``dataverse.mail.mta.localaddress``,
+    ``dataverse.mail.mta.localport``
+* Authentication details:
+    ``dataverse.mail.mta.auth.mechanisms``,
+    ``dataverse.mail.mta.auth.login.disable``,
+    ``dataverse.mail.mta.auth.plain.disable``,
+    ``dataverse.mail.mta.auth.digest-md5.disable``,
+    ``dataverse.mail.mta.auth.ntlm.disable``,
+    ``dataverse.mail.mta.auth.xoauth2.disable``,
+    ``dataverse.mail.mta.auth.ntlm.domain``,
+    ``dataverse.mail.mta.auth.ntlm.flag``,
+    ``dataverse.mail.mta.sasl.enable``,
+    ``dataverse.mail.mta.sasl.usecanonicalhostname``,
+    ``dataverse.mail.mta.sasl.mechanisms``,
+    ``dataverse.mail.mta.sasl.authorizationid``,
+    ``dataverse.mail.mta.sasl.realm``
+* Miscellaneous:
+    ``dataverse.mail.mta.allow8bitmime``,
+    ``dataverse.mail.mta.submitter``,
+    ``dataverse.mail.mta.dsn.notify``,
+    ``dataverse.mail.mta.dsn.ret``,
+    ``dataverse.mail.mta.sendpartial``,
+    ``dataverse.mail.mta.quitwait``,
+    ``dataverse.mail.mta.quitonsessionreject``,
+    ``dataverse.mail.mta.userset``,
+    ``dataverse.mail.mta.noop.strict``,
+    ``dataverse.mail.mta.mailextension``
+
+See also :ref:`smtp-config`.
+
 dataverse.ui.allow-review-for-incomplete
 ++++++++++++++++++++++++++++++++++++++++
 
@@ -3096,18 +3274,13 @@ In Dataverse Software 4.7 and lower, the :doc:`/api/search` required an API toke
 
 ``curl -X PUT -d true http://localhost:8080/api/admin/settings/:SearchApiRequiresToken``
 
-.. _systemEmail:
+.. _legacySystemEmail:
 
 :SystemEmail
 ++++++++++++
 
-This is the email address that "system" emails are sent from such as password reset links. Your Dataverse installation will not send mail without this setting in place.
-
-``curl -X PUT -d 'LibraScholar SWAT Team <support@librascholar.edu>' http://localhost:8080/api/admin/settings/:SystemEmail``
-
-Note that only the email address is required, which you can supply without the ``<`` and ``>`` signs, but if you include the text, it's the way to customize the name of your support team, which appears in the "from" address in emails as well as in help text in the UI. If you don't include the text, the installation name (see :ref:`Branding Your Installation`) will appear in the "from" address.
-
-Please note that if you're having any trouble sending email, you can refer to "Troubleshooting" under :doc:`installation-main`.
+Please note that this setting is deprecated since Dataverse 6.2.
+It will be picked up for backward compatibility, but please migrate to usage of :ref:`dataverse.mail.system-email`.
 
 :HomePageCustomizationFile
 ++++++++++++++++++++++++++
@@ -4505,9 +4678,6 @@ A true/false (default) option determining whether the dataset datafile table dis
 
 ``curl -X PUT -d true http://localhost:8080/api/admin/settings/:AllowUserManagementOfOrder``
 
-.. _supported MicroProfile Config API source: https://docs.payara.fish/community/docs/Technical%20Documentation/MicroProfile/Config/Overview.html
-
-
 .. _:UseStorageQuotas:
 
 :UseStorageQuotas
@@ -4543,3 +4713,13 @@ In the following example, calls made by a guest user (tier 0) for API GetLatestP
 {"tier": 0, "limitPerHour": 10, "actions": ["GetLatestPublishedDatasetVersionCommand", "GetPrivateUrlCommand", "GetDatasetCommand", "GetLatestAccessibleDatasetVersionCommand"]},
 {"tier": 0, "limitPerHour": 1, "actions": ["CreateGuestbookResponseCommand", "UpdateDatasetVersionCommand", "DestroyDatasetCommand", "DeleteDataFileCommand", "FinalizeDatasetPublicationCommand", "PublishDatasetCommand"]},
 {"tier": 1, "limitPerHour": 30, "actions": ["CreateGuestbookResponseCommand", "GetLatestPublishedDatasetVersionCommand", "GetPrivateUrlCommand", "GetDatasetCommand", "GetLatestAccessibleDatasetVersionCommand", "UpdateDatasetVersionCommand", "DestroyDatasetCommand", "DeleteDataFileCommand", "FinalizeDatasetPublicationCommand", "PublishDatasetCommand"]}]}
+
+
+
+
+.. _supported MicroProfile Config API source: https://docs.payara.fish/community/docs/Technical%20Documentation/MicroProfile/Config/Overview.html
+.. _password alias: https://docs.payara.fish/community/docs/Technical%20Documentation/Payara%20Server%20Documentation/Server%20Configuration%20And%20Management/Configuration%20Options/Password%20Aliases.html
+.. _variable substitution: https://docs.payara.fish/community/docs/Technical%20Documentation/Payara%20Server%20Documentation/Server%20Configuration%20And%20Management/Configuration%20Options/Variable%20Substitution/Usage%20of%20Variables.html
+.. _property expression: https://download.eclipse.org/microprofile/microprofile-config-3.1/microprofile-config-spec-3.1.html#property-expressions
+.. _directory config source: https://docs.payara.fish/community/docs/Technical%20Documentation/MicroProfile/Config/Directory.html
+.. _cloud sources: https://docs.payara.fish/community/docs/Technical%20Documentation/MicroProfile/Config/Cloud/Overview.html
diff --git a/doc/sphinx-guides/source/installation/installation-main.rst b/doc/sphinx-guides/source/installation/installation-main.rst
index bc51a8e19f5..3c3376e3c85 100755
--- a/doc/sphinx-guides/source/installation/installation-main.rst
+++ b/doc/sphinx-guides/source/installation/installation-main.rst
@@ -141,66 +141,6 @@ Got ERR_ADDRESS_UNREACHABLE While Navigating on Interface or API Calls
 
 If you are receiving an ``ERR_ADDRESS_UNREACHABLE`` while navigating the GUI or making an API call, make sure the ``siteUrl`` JVM option is defined. For details on how to set ``siteUrl``, please refer to :ref:`dataverse.siteUrl` from the :doc:`config` section. For context on why setting this option is necessary, refer to :ref:`dataverse.fqdn` from the :doc:`config` section.
 
-Problems Sending Email
-^^^^^^^^^^^^^^^^^^^^^^
-
-If your Dataverse installation is not sending system emails, you may need to provide authentication for your mail host. First, double check the SMTP server being used with this Payara asadmin command:
-
-``./asadmin get server.resources.mail-resource.mail/notifyMailSession.host``
-
-This should return the DNS of the mail host you configured during or after installation. mail/notifyMailSession is the JavaMail Session that's used to send emails to users. 
-
-If the command returns a host you don't want to use, you can modify your notifyMailSession with the Payara ``asadmin set`` command with necessary options (`click here for the manual page <https://docs.oracle.com/cd/E18930_01/html/821-2433/set-1.html>`_), or via the admin console at http://localhost:4848 with your domain running. 
-
-If your mail host requires a username/password for access, continue to the next section.
-
-Mail Host Configuration & Authentication
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-If you need to alter your mail host address, user, or provide a password to connect with, these settings are easily changed in the Payara admin console or via command line. 
-
-For the Payara console, load a browser with your domain online, navigate to http://localhost:4848 and on the side panel find JavaMail Sessions. By default, the Dataverse Software uses a session named mail/notifyMailSession for routing outgoing emails. Click this mail session in the window to modify it.
-
-When fine tuning your JavaMail Session, there are a number of fields you can edit. The most important are:
-
-+ **Mail Host:** Desired mail host’s DNS address (e.g. smtp.gmail.com)
-+ **Default User:** Username mail host will recognize (e.g. user\@gmail.com)
-+ **Default Sender Address:** Email address that your Dataverse installation will send mail from
-
-Depending on the SMTP server you're using, you may need to add additional properties at the bottom of the page (below "Advanced").
-
-From the "Add Properties" utility at the bottom, use the “Add Property” button for each entry you need, and include the name / corresponding value as needed. Descriptions are optional, but can be used for your own organizational needs. 
-
-**Note:** These properties are just an example. You may need different/more/fewer properties all depending on the SMTP server you’re using.
-
-==============================	==============================
-			Name 							Value
-==============================	==============================
-mail.smtp.auth					true
-mail.smtp.password				[Default User password*]
-mail.smtp.port					[Port number to route through]
-==============================	==============================
-
-**\*WARNING**: Entering a password here will *not* conceal it on-screen. It’s recommended to use an *app password* (for smtp.gmail.com users) or utilize a dedicated/non-personal user account with SMTP server auths so that you do not risk compromising your password.
-
-If your installation’s mail host uses SSL (like smtp.gmail.com) you’ll need these name/value pair properties in place:
-
-======================================	==============================
-				Name 								Value
-======================================	==============================
-mail.smtp.socketFactory.port			465
-mail.smtp.port							465
-mail.smtp.socketFactory.fallback		false
-mail.smtp.socketFactory.class			javax.net.ssl.SSLSocketFactory
-======================================	==============================
-
-The mail session can also be set from command line. To use this method, you will need to delete your notifyMailSession and create a new one. See the below example:
-
-- Delete: ``./asadmin delete-javamail-resource mail/notifyMailSession``
-- Create (remove brackets and replace the variables inside): ``./asadmin create-javamail-resource --mailhost [smtp.gmail.com] --mailuser [test\@test\.com] --fromaddress [test\@test\.com] --property mail.smtp.auth=[true]:mail.smtp.password=[password]:mail.smtp.port=[465]:mail.smtp.socketFactory.port=[465]:mail.smtp.socketFactory.fallback=[false]:mail.smtp.socketFactory.class=[javax.net.ssl.SSLSocketFactory] mail/notifyMailSession``
-
-Be sure you save the changes made here and then restart your Payara server to test it out.
-
 UnknownHostException While Deploying
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
diff --git a/docker-compose-dev.yml b/docker-compose-dev.yml
index 6c56b5a3d6e..402a95c0e16 100644
--- a/docker-compose-dev.yml
+++ b/docker-compose-dev.yml
@@ -17,6 +17,8 @@ services:
       SKIP_DEPLOY: "${SKIP_DEPLOY}"
       DATAVERSE_JSF_REFRESH_PERIOD: "1"
       DATAVERSE_FEATURE_API_BEARER_AUTH: "1"
+      DATAVERSE_MAIL_SYSTEM_EMAIL: "dataverse@localhost"
+      DATAVERSE_MAIL_MTA_HOST: "smtp"
       DATAVERSE_AUTH_OIDC_ENABLED: "1"
       DATAVERSE_AUTH_OIDC_CLIENT_ID: test
       DATAVERSE_AUTH_OIDC_CLIENT_SECRET: 94XHrfNRwXsjqTqApRrwWmhDLDHpIYV8
diff --git a/docker/compose/demo/compose.yml b/docker/compose/demo/compose.yml
index 8f1af3e396b..6c2bdcf79a4 100644
--- a/docker/compose/demo/compose.yml
+++ b/docker/compose/demo/compose.yml
@@ -14,6 +14,8 @@ services:
       DATAVERSE_DB_PASSWORD: secret
       DATAVERSE_DB_USER: dataverse
       DATAVERSE_FEATURE_API_BEARER_AUTH: "1"
+      DATAVERSE_MAIL_SYSTEM_EMAIL: "Demo Dataverse <dataverse@example.org>"
+      DATAVERSE_MAIL_MTA_HOST: "smtp"
       JVM_ARGS: -Ddataverse.files.storage-driver-id=file1
         -Ddataverse.files.file1.type=file
         -Ddataverse.files.file1.label=Filesystem
diff --git a/modules/container-configbaker/scripts/bootstrap/dev/init.sh b/modules/container-configbaker/scripts/bootstrap/dev/init.sh
index efdaee3d0c3..f8770436652 100644
--- a/modules/container-configbaker/scripts/bootstrap/dev/init.sh
+++ b/modules/container-configbaker/scripts/bootstrap/dev/init.sh
@@ -9,9 +9,6 @@ export DATAVERSE_URL
 echo "Running base setup-all.sh (INSECURE MODE)..."
 "${BOOTSTRAP_DIR}"/base/setup-all.sh --insecure -p=admin1 | tee /tmp/setup-all.sh.out
 
-echo "Setting system mail address..."
-curl -X PUT -d "dataverse@localhost" "${DATAVERSE_URL}/api/admin/settings/:SystemEmail"
-
 echo "Setting DOI provider to \"FAKE\"..."
 curl "${DATAVERSE_URL}/api/admin/settings/:DoiProvider" -X PUT -d FAKE
 
diff --git a/modules/dataverse-parent/pom.xml b/modules/dataverse-parent/pom.xml
index fd176c2fd80..1a538905a8d 100644
--- a/modules/dataverse-parent/pom.xml
+++ b/modules/dataverse-parent/pom.xml
@@ -168,11 +168,11 @@
         <gdcc.xoai.version>5.2.0</gdcc.xoai.version>
     
         <!-- Testing dependencies -->
-        <testcontainers.version>1.19.0</testcontainers.version>
-        <smallrye-mpconfig.version>2.10.1</smallrye-mpconfig.version>
-        <junit.jupiter.version>5.10.0</junit.jupiter.version>
-        <mockito.version>5.4.0</mockito.version>
-        <maven-jacoco-plugin.version>0.8.10</maven-jacoco-plugin.version>
+        <testcontainers.version>1.19.7</testcontainers.version>
+        <smallrye-mpconfig.version>3.7.1</smallrye-mpconfig.version>
+        <junit.jupiter.version>5.10.2</junit.jupiter.version>
+        <mockito.version>5.11.0</mockito.version>
+        <maven-jacoco-plugin.version>0.8.11</maven-jacoco-plugin.version>
         
         <checkstyle.version>9.3</checkstyle.version>
         
@@ -182,8 +182,8 @@
         <maven-war-plugin.version>3.3.2</maven-war-plugin.version>
         <maven-dependency-plugin.version>3.5.0</maven-dependency-plugin.version>
         <maven-install-plugin.version>3.1.1</maven-install-plugin.version>
-        <maven-surefire-plugin.version>3.1.0</maven-surefire-plugin.version>
-        <maven-failsafe-plugin.version>3.1.0</maven-failsafe-plugin.version>
+        <maven-surefire-plugin.version>3.2.5</maven-surefire-plugin.version>
+        <maven-failsafe-plugin.version>3.2.5</maven-failsafe-plugin.version>
         <maven-assembly-plugin.version>3.6.0</maven-assembly-plugin.version>
         <maven-resources-plugin.version>3.3.1</maven-resources-plugin.version>
         <maven-release-plugin.version>3.0.0-M7</maven-release-plugin.version>
diff --git a/pom.xml b/pom.xml
index f736f04cf32..4b660e23ef5 100644
--- a/pom.xml
+++ b/pom.xml
@@ -51,6 +51,17 @@
                 <artifactId>abdera-i18n</artifactId>
                 <version>1.1.3</version>
             </dependency>
+            <dependency>
+                <groupId>org.apache.abdera</groupId>
+                <artifactId>abdera-parser</artifactId>
+                <version>1.1.3</version>
+                <exclusions>
+                    <exclusion>
+                        <groupId>org.apache.geronimo.specs</groupId>
+                        <artifactId>geronimo-javamail_1.4_spec</artifactId>
+                    </exclusion>
+                </exclusions>
+            </dependency>
         </dependencies>
     </dependencyManagement>
     <!-- Declare any DIRECT dependencies here.
@@ -703,6 +714,7 @@
                     <include>**/firstNames/*.*</include>
                     <include>**/*.xsl</include>
                     <include>**/services/*</include>
+                    <include>**/*.map</include>
                 </includes>
             </resource>
             <resource>
diff --git a/scripts/installer/as-setup.sh b/scripts/installer/as-setup.sh
index c89bcb4ff4d..34deddf51a3 100755
--- a/scripts/installer/as-setup.sh
+++ b/scripts/installer/as-setup.sh
@@ -147,12 +147,10 @@ function final_setup(){
 	# delete any existing mail/notifyMailSession; configure port, if provided:
 
 	./asadmin delete-javamail-resource mail/notifyMailSession
-
-	if [ $SMTP_SERVER_PORT"x" != "x" ]
-	then
-            ./asadmin $ASADMIN_OPTS create-javamail-resource --mailhost "$SMTP_SERVER" --mailuser "dataversenotify" --fromaddress "do-not-reply@${HOST_ADDRESS}" --property mail.smtp.port="${SMTP_SERVER_PORT}" mail/notifyMailSession
-	else
-	    ./asadmin $ASADMIN_OPTS create-javamail-resource --mailhost "$SMTP_SERVER" --mailuser "dataversenotify" --fromaddress "do-not-reply@${HOST_ADDRESS}" mail/notifyMailSession
+	./asadmin $ASADMIN_OPTS create-system-properties "dataverse.mail.system-email='${ADMIN_EMAIL}'"
+  ./asadmin $ASADMIN_OPTS create-system-properties "dataverse.mail.mta.host='${SMTP_SERVER}'"
+	if [ "x${SMTP_SERVER_PORT}" != "x" ]; then
+    ./asadmin $ASADMIN_OPTS create-system-properties "dataverse.mail.mta.port='${SMTP_SERVER_PORT}'"
 	fi
 
 }
@@ -280,6 +278,12 @@ if [ ! -d "$DOMAIN_DIR" ]
     exit 2
 fi
 
+if [ -z "$ADMIN_EMAIL" ]
+ then
+  echo "You must specify the system admin email address (ADMIN_EMAIL)."
+  exit 1
+fi
+
 echo "Setting up your app. server (Payara) to support Dataverse"
 echo "Payara directory: "$GLASSFISH_ROOT
 echo "Domain directory:    "$DOMAIN_DIR
diff --git a/scripts/installer/install.py b/scripts/installer/install.py
index 99316efb83b..005fbad46e0 100644
--- a/scripts/installer/install.py
+++ b/scripts/installer/install.py
@@ -568,14 +568,6 @@
 except:
    sys.exit("Failure to execute setup-all.sh! aborting.")
 
-# 7b. configure admin email in the application settings
-print("configuring system email address...")
-returnCode = subprocess.call(["curl", "-X", "PUT", "-d", adminEmail, apiUrl+"/admin/settings/:SystemEmail"])
-if returnCode != 0:
-   print("\nWARNING: failed to configure the admin email in the Dataverse settings!")
-else:
-   print("\ndone.")
-
 # 8c. configure remote Solr location, if specified
 if solrLocation != "LOCAL":
    print("configuring remote Solr location... ("+solrLocation+")")
diff --git a/scripts/installer/installAppServer.py b/scripts/installer/installAppServer.py
index 698f5ba9a58..7636490c583 100644
--- a/scripts/installer/installAppServer.py
+++ b/scripts/installer/installAppServer.py
@@ -6,8 +6,9 @@ def runAsadminScript(config):
    # commands to set up all the app. server (payara6) components for the application.
    # All the parameters must be passed to that script as environmental                                          
    # variables:
-   os.environ['GLASSFISH_DOMAIN'] = "domain1";
-   os.environ['ASADMIN_OPTS'] = "";
+   os.environ['GLASSFISH_DOMAIN'] = "domain1"
+   os.environ['ASADMIN_OPTS'] = ""
+   os.environ['ADMIN_EMAIL'] = config.get('system','ADMIN_EMAIL')
 
    os.environ['HOST_ADDRESS'] = config.get('glassfish','HOST_DNS_ADDRESS')
    os.environ['GLASSFISH_ROOT'] = config.get('glassfish','GLASSFISH_DIRECTORY')
diff --git a/src/main/docker/scripts/init_2_configure.sh b/src/main/docker/scripts/init_2_configure.sh
index a98f08088c1..b31cfac37b7 100755
--- a/src/main/docker/scripts/init_2_configure.sh
+++ b/src/main/docker/scripts/init_2_configure.sh
@@ -31,10 +31,6 @@ echo "# Dataverse postboot configuration for Payara" > "${DV_POSTBOOT}"
 #       EE 8 code annotations or at least glassfish-resources.xml
 # NOTE: postboot commands is not multi-line capable, thus spaghetti needed.
 
-# JavaMail
-echo "INFO: Defining JavaMail."
-echo "create-javamail-resource --mailhost=${DATAVERSE_MAIL_HOST:-smtp} --mailuser=${DATAVERSE_MAIL_USER:-dataversenotify} --fromaddress=${DATAVERSE_MAIL_FROM:-dataverse@localhost} mail/notifyMailSession" >> "${DV_POSTBOOT}"
-
 # 3. Domain based configuration options
 # Set Dataverse environment variables
 echo "INFO: Defining system properties for Dataverse configuration options."
diff --git a/src/main/java/edu/harvard/iq/dataverse/MailServiceBean.java b/src/main/java/edu/harvard/iq/dataverse/MailServiceBean.java
index 4b591d240bd..1eee9c65501 100644
--- a/src/main/java/edu/harvard/iq/dataverse/MailServiceBean.java
+++ b/src/main/java/edu/harvard/iq/dataverse/MailServiceBean.java
@@ -11,6 +11,7 @@
 import edu.harvard.iq.dataverse.branding.BrandingUtil;
 import edu.harvard.iq.dataverse.confirmemail.ConfirmEmailServiceBean;
 import edu.harvard.iq.dataverse.dataset.DatasetUtil;
+import edu.harvard.iq.dataverse.settings.JvmSettings;
 import edu.harvard.iq.dataverse.settings.SettingsServiceBean;
 import edu.harvard.iq.dataverse.settings.SettingsServiceBean.Key;
 import edu.harvard.iq.dataverse.util.BundleUtil;
@@ -24,11 +25,15 @@
 import java.util.Arrays;
 import java.util.Date;
 import java.util.List;
+import java.util.Objects;
+import java.util.Optional;
 import java.util.Set;
+import java.util.logging.Level;
 import java.util.logging.Logger;
-import jakarta.annotation.Resource;
 import jakarta.ejb.EJB;
 import jakarta.ejb.Stateless;
+import jakarta.inject.Inject;
+import jakarta.inject.Named;
 import jakarta.mail.Address;
 import jakarta.mail.Message;
 import jakarta.mail.MessagingException;
@@ -78,77 +83,133 @@ public class MailServiceBean implements java.io.Serializable {
      */
     public MailServiceBean() {
     }
+    
+    /**
+     * Creates a new instance of MailServiceBean with explicit injection, as used during testing.
+     */
+    public MailServiceBean(Session session, SettingsServiceBean settingsService) {
+        this.session = session;
+        this.settingsService = settingsService;
+    }
 
-    @Resource(name = "mail/notifyMailSession")
+    @Inject
+    @Named("mail/systemSession")
     private Session session;
 
     public boolean sendSystemEmail(String to, String subject, String messageText) {
         return sendSystemEmail(to, subject, messageText, false);
     }
-
+    
+    /**
+     * Send a system notification to one or multiple recipients by email.
+     * Will skip sending when {@link #getSystemAddress()} doesn't return a configured "from" address.
+     * @param to A comma separated list of one or multiple recipients' addresses. May contain a "personal name" and
+     *           the recipients address in &lt;&gt;. See also {@link InternetAddress}.
+     * @param subject The message's subject
+     * @param messageText The message's text
+     * @param isHtmlContent Determine if the message text is formatted using HTML or plain text.
+     * @return Status: true if sent successfully, false otherwise
+     */
     public boolean sendSystemEmail(String to, String subject, String messageText, boolean isHtmlContent) {
+        Optional<InternetAddress> optionalAddress = getSystemAddress();
+        if (optionalAddress.isEmpty()) {
+            logger.fine(() -> "Skipping sending mail to " + to + ", because no system address has been set.");
+            return false;
+        }
+        InternetAddress systemAddress = optionalAddress.get();
 
-        boolean sent = false;
-        InternetAddress systemAddress = getSystemAddress(); 
-
-        String body = messageText
-                + (isHtmlContent ? BundleUtil.getStringFromBundle("notification.email.closing.html", Arrays.asList(BrandingUtil.getSupportTeamEmailAddress(systemAddress), BrandingUtil.getSupportTeamName(systemAddress)))
-                        : BundleUtil.getStringFromBundle("notification.email.closing", Arrays.asList(BrandingUtil.getSupportTeamEmailAddress(systemAddress), BrandingUtil.getSupportTeamName(systemAddress))));
+        String body = messageText +
+            BundleUtil.getStringFromBundle(isHtmlContent ? "notification.email.closing.html" : "notification.email.closing",
+                List.of(BrandingUtil.getSupportTeamEmailAddress(systemAddress), BrandingUtil.getSupportTeamName(systemAddress)));
 
-        logger.fine("Sending email to " + to + ". Subject: <<<" + subject + ">>>. Body: " + body);
+        logger.fine(() -> "Sending email to %s. Subject: <<<%s>>>. Body: %s".formatted(to, subject, body));
         try {
+            // Since JavaMail 1.6, we have support for UTF-8 mail addresses and do not need to handle these ourselves.
+            InternetAddress[] recipients = InternetAddress.parse(to);
+            
             MimeMessage msg = new MimeMessage(session);
-            if (systemAddress != null) {
-                msg.setFrom(systemAddress);
-                msg.setSentDate(new Date());
-                String[] recipientStrings = to.split(",");
-                InternetAddress[] recipients = new InternetAddress[recipientStrings.length];
-                for (int i = 0; i < recipients.length; i++) {
-                    try {
-                        recipients[i] = new InternetAddress(recipientStrings[i], "", charset);
-                    } catch (UnsupportedEncodingException ex) {
-                        logger.severe(ex.getMessage());
-                    }
-                }
-                msg.setRecipients(Message.RecipientType.TO, recipients);
-                msg.setSubject(subject, charset);
-                if (isHtmlContent) {
-                    msg.setText(body, charset, "html");
-                } else {
-                    msg.setText(body, charset);
-                }
-
-                try {
-                    Transport.send(msg, recipients);
-                    sent = true;
-                } catch (MessagingException ssfe) {
-                    logger.warning("Failed to send mail to: " + to);
-                    logger.warning("MessagingException Message: " + ssfe);
-                }
+            msg.setFrom(systemAddress);
+            msg.setSentDate(new Date());
+            msg.setRecipients(Message.RecipientType.TO, recipients);
+            msg.setSubject(subject, charset);
+            if (isHtmlContent) {
+                msg.setText(body, charset, "html");
             } else {
-                logger.fine("Skipping sending mail to " + to + ", because the \"no-reply\" address not set (" + Key.SystemEmail + " setting).");
+                msg.setText(body, charset);
             }
-        } catch (AddressException ae) {
-            logger.warning("Failed to send mail to " + to);
-            ae.printStackTrace(System.out);
-        } catch (MessagingException me) {
-            logger.warning("Failed to send mail to " + to);
-            me.printStackTrace(System.out);
+            
+            Transport.send(msg, recipients);
+            return true;
+        } catch (MessagingException ae) {
+            logger.log(Level.WARNING, "Failed to send mail to %s: %s".formatted(to, ae.getMessage()), ae);
+            logger.info("When UTF-8 characters in recipients: make sure MTA supports it and JVM option " + JvmSettings.MAIL_MTA_SUPPORT_UTF8.getScopedKey() + "=true");
         }
-        return sent;
+        return false;
     }
-
-    public InternetAddress getSystemAddress() {
-       String systemEmail = settingsService.getValueForKey(Key.SystemEmail);
-       return MailUtil.parseSystemAddress(systemEmail);
+    
+    /**
+     * Lookup the system mail address ({@code InternetAddress} may contain personal and actual address).
+     * @return The system mail address or an empty {@code Optional} if not configured.
+     */
+    public Optional<InternetAddress> getSystemAddress() {
+        boolean providedByDB = false;
+        String mailAddress = JvmSettings.SYSTEM_EMAIL.lookupOptional().orElse(null);
+        
+        // Try lookup of (deprecated) database setting only if not configured via MPCONFIG
+        if (mailAddress == null) {
+            mailAddress = settingsService.getValueForKey(Key.SystemEmail);
+            // Encourage people to migrate from deprecated setting
+            if (mailAddress != null) {
+                providedByDB = true;
+                logger.warning("The :SystemMail DB setting has been deprecated, please reconfigure using JVM option " + JvmSettings.SYSTEM_EMAIL.getScopedKey());
+            }
+        }
+        
+        try {
+            // Parse and return.
+            return Optional.of(new InternetAddress(Objects.requireNonNull(mailAddress), true));
+        } catch (AddressException e) {
+            logger.log(Level.WARNING, "Could not parse system mail address '%s' provided by %s: "
+                .formatted(providedByDB ? "DB setting" : "JVM option", mailAddress), e);
+        } catch (NullPointerException e) {
+            // Do not pester the logs - no configuration may mean someone wants to disable mail notifications
+            logger.fine("Could not find a system mail setting in database (key :SystemEmail, deprecated) or JVM option '" + JvmSettings.SYSTEM_EMAIL.getScopedKey() + "'");
+        }
+        // We define the system email address as an optional setting, in case people do not want to enable mail
+        // notifications (like in a development context, but might be useful elsewhere, too).
+        return Optional.empty();
+    }
+    
+    /**
+     * Lookup the support team mail address ({@code InternetAddress} may contain personal and actual address).
+     * Will default to return {@code #getSystemAddress} if not configured.
+     * @return Support team mail address
+     */
+    public Optional<InternetAddress> getSupportAddress() {
+        Optional<String> supportMailAddress = JvmSettings.SUPPORT_EMAIL.lookupOptional();
+        if (supportMailAddress.isPresent()) {
+            try {
+                return Optional.of(new InternetAddress(supportMailAddress.get(), true));
+            } catch (AddressException e) {
+                logger.log(Level.WARNING, "Could not parse support mail address '%s', defaulting to system address: ".formatted(supportMailAddress.get()), e);
+            }
+        }
+        return getSystemAddress();
     }
 
     //@Resource(name="mail/notifyMailSession")
     public void sendMail(String reply, String to, String cc, String subject, String messageText) {
+        Optional<InternetAddress> optionalAddress = getSystemAddress();
+        if (optionalAddress.isEmpty()) {
+            logger.fine(() -> "Skipping sending mail to " + to + ", because no system address has been set.");
+            return;
+        }
+        // Always send from system address to avoid email being blocked
+        InternetAddress fromAddress = optionalAddress.get();
+        
         try {
             MimeMessage msg = new MimeMessage(session);
-            // Always send from system address to avoid email being blocked
-            InternetAddress fromAddress = getSystemAddress();
+            
             try {
                 setContactDelegation(reply, fromAddress);
             } catch (UnsupportedEncodingException ex) {
@@ -511,13 +572,12 @@ public String getMessageTextBasedOnNotification(UserNotification userNotificatio
                 messageText += MessageFormat.format(pattern, paramArrayStatus);
                 return messageText;
             case CREATEACC:
-                InternetAddress systemAddress = getSystemAddress();
                 String accountCreatedMessage = BundleUtil.getStringFromBundle("notification.email.welcome", Arrays.asList(
                         BrandingUtil.getInstallationBrandName(),
                         systemConfig.getGuidesBaseUrl(),
                         systemConfig.getGuidesVersion(),
-                        BrandingUtil.getSupportTeamName(systemAddress),
-                        BrandingUtil.getSupportTeamEmailAddress(systemAddress)
+                        BrandingUtil.getSupportTeamName(getSystemAddress().orElse(null)),
+                        BrandingUtil.getSupportTeamEmailAddress(getSystemAddress().orElse(null))
                 ));
                 String optionalConfirmEmailAddon = confirmEmailService.optionalConfirmEmailAddonMsg(userNotification.getUser());
                 accountCreatedMessage += optionalConfirmEmailAddon;
diff --git a/src/main/java/edu/harvard/iq/dataverse/SendFeedbackDialog.java b/src/main/java/edu/harvard/iq/dataverse/SendFeedbackDialog.java
index 68912969003..5a522eb7e45 100644
--- a/src/main/java/edu/harvard/iq/dataverse/SendFeedbackDialog.java
+++ b/src/main/java/edu/harvard/iq/dataverse/SendFeedbackDialog.java
@@ -7,7 +7,6 @@
 import edu.harvard.iq.dataverse.settings.SettingsServiceBean;
 import edu.harvard.iq.dataverse.util.BundleUtil;
 import edu.harvard.iq.dataverse.util.JsfHelper;
-import edu.harvard.iq.dataverse.util.MailUtil;
 import edu.harvard.iq.dataverse.util.SystemConfig;
 import java.util.Optional;
 import java.util.Random;
@@ -102,8 +101,7 @@ public void initUserInput(ActionEvent ae) {
         op1 = Long.valueOf(random.nextInt(10));
         op2 = Long.valueOf(random.nextInt(10));
         userSum = null;
-        String supportEmail = JvmSettings.SUPPORT_EMAIL.lookupOptional().orElse(settingsService.getValueForKey(SettingsServiceBean.Key.SystemEmail));
-        systemAddress = MailUtil.parseSystemAddress(supportEmail);
+        systemAddress = mailService.getSupportAddress().orElse(null);
     }
 
     public Long getOp1() {
diff --git a/src/main/java/edu/harvard/iq/dataverse/SettingsWrapper.java b/src/main/java/edu/harvard/iq/dataverse/SettingsWrapper.java
index 9cf3f11ef80..91bcc508b78 100644
--- a/src/main/java/edu/harvard/iq/dataverse/SettingsWrapper.java
+++ b/src/main/java/edu/harvard/iq/dataverse/SettingsWrapper.java
@@ -66,6 +66,9 @@ public class SettingsWrapper implements java.io.Serializable {
     
     @EJB
     MetadataBlockServiceBean mdbService;
+    
+    @EJB
+    MailServiceBean mailServiceBean;
 
     private Map<String, String> settingsMap;
     
@@ -401,14 +404,14 @@ public boolean isHTTPUpload(){
     }
     
     public String getSupportTeamName() {
-        String systemEmail = getValueForKey(SettingsServiceBean.Key.SystemEmail);
-        InternetAddress systemAddress = MailUtil.parseSystemAddress(systemEmail);
+        // TODO: should this be replaced with mailServiceBean.getSupportAddress() to expose a configured support team?
+        InternetAddress systemAddress = mailServiceBean.getSystemAddress().orElse(null);
         return BrandingUtil.getSupportTeamName(systemAddress);
     }
     
     public String getSupportTeamEmail() {
-        String systemEmail = getValueForKey(SettingsServiceBean.Key.SystemEmail);
-        InternetAddress systemAddress = MailUtil.parseSystemAddress(systemEmail);        
+        // TODO: should this be replaced with mailServiceBean.getSupportAddress() to expose a configured support team?
+        InternetAddress systemAddress = mailServiceBean.getSystemAddress().orElse(null);
         return BrandingUtil.getSupportTeamEmailAddress(systemAddress) != null ? BrandingUtil.getSupportTeamEmailAddress(systemAddress) : BrandingUtil.getSupportTeamName(systemAddress);
     }
     
diff --git a/src/main/java/edu/harvard/iq/dataverse/api/FeedbackApi.java b/src/main/java/edu/harvard/iq/dataverse/api/FeedbackApi.java
index 8a178f8da62..56c5ca95ce6 100644
--- a/src/main/java/edu/harvard/iq/dataverse/api/FeedbackApi.java
+++ b/src/main/java/edu/harvard/iq/dataverse/api/FeedbackApi.java
@@ -7,9 +7,6 @@
 import edu.harvard.iq.dataverse.branding.BrandingUtil;
 import edu.harvard.iq.dataverse.feedback.Feedback;
 import edu.harvard.iq.dataverse.feedback.FeedbackUtil;
-import edu.harvard.iq.dataverse.settings.JvmSettings;
-import edu.harvard.iq.dataverse.settings.SettingsServiceBean;
-import edu.harvard.iq.dataverse.util.MailUtil;
 
 import jakarta.ejb.EJB;
 import jakarta.json.Json;
@@ -40,7 +37,7 @@ public class FeedbackApi extends AbstractApiBean {
      * user input (e.g. to strip potentially malicious html, etc.)!!!!
      **/
     @POST
-    public Response submitFeedback(JsonObject jsonObject) throws AddressException {
+    public Response submitFeedback(JsonObject jsonObject) {
         JsonNumber jsonNumber = jsonObject.getJsonNumber("targetId");
         DvObject feedbackTarget = null;
         if (jsonNumber != null) {
@@ -51,8 +48,7 @@ public Response submitFeedback(JsonObject jsonObject) throws AddressException {
         }
         DataverseSession dataverseSession = null;
         String userMessage = jsonObject.getString("body");
-        String systemEmail = JvmSettings.SUPPORT_EMAIL.lookupOptional().orElse(settingsSvc.getValueForKey(SettingsServiceBean.Key.SystemEmail));
-        InternetAddress systemAddress = MailUtil.parseSystemAddress(systemEmail);
+        InternetAddress systemAddress = mailService.getSupportAddress().orElse(null);
         String userEmail = jsonObject.getString("fromEmail");
         String messageSubject = jsonObject.getString("subject");
         String baseUrl = systemConfig.getDataverseSiteUrl();
diff --git a/src/main/java/edu/harvard/iq/dataverse/harvest/server/web/servlet/OAIServlet.java b/src/main/java/edu/harvard/iq/dataverse/harvest/server/web/servlet/OAIServlet.java
index 233ca94f5fc..f9047e3ee5f 100644
--- a/src/main/java/edu/harvard/iq/dataverse/harvest/server/web/servlet/OAIServlet.java
+++ b/src/main/java/edu/harvard/iq/dataverse/harvest/server/web/servlet/OAIServlet.java
@@ -5,6 +5,7 @@
  */
 package edu.harvard.iq.dataverse.harvest.server.web.servlet;
 
+import edu.harvard.iq.dataverse.MailServiceBean;
 import io.gdcc.xoai.dataprovider.DataProvider;
 import io.gdcc.xoai.dataprovider.repository.Repository;
 import io.gdcc.xoai.dataprovider.repository.RepositoryConfiguration;
@@ -39,6 +40,7 @@
 
 
 import java.io.IOException;
+import java.util.Optional;
 import java.util.logging.Logger;
 import jakarta.ejb.EJB;
 import jakarta.inject.Inject;
@@ -67,14 +69,14 @@ public class OAIServlet extends HttpServlet {
     @EJB
     OAIRecordServiceBean recordService;
     @EJB
-    SettingsServiceBean settingsService;
-    @EJB
     DataverseServiceBean dataverseService;
     @EJB
     DatasetServiceBean datasetService;
     
     @EJB
     SystemConfig systemConfig;
+    @EJB
+    MailServiceBean mailServiceBean;
 
     @Inject
     @ConfigProperty(name = "dataverse.oai.server.maxidentifiers", defaultValue="100")
@@ -194,9 +196,13 @@ private RepositoryConfiguration createRepositoryConfiguration() {
         // (Note: if the setting does not exist, we are going to assume that they
         // have a reason not to want to configure their email address, if it is
         // a developer's instance, for example; or a reason not to want to 
-        // advertise it to the world.) 
-        InternetAddress systemEmailAddress = MailUtil.parseSystemAddress(settingsService.getValueForKey(SettingsServiceBean.Key.SystemEmail));
-        String systemEmailLabel = systemEmailAddress != null ? systemEmailAddress.getAddress() : "donotreply@localhost";
+        // advertise it to the world.)
+        String systemEmailLabel = "donotreply@localhost";
+        // TODO: should we expose the support team's address if configured?
+        Optional<InternetAddress> systemAddress = mailServiceBean.getSystemAddress();
+        if (systemAddress.isPresent()) {
+            systemEmailLabel = systemAddress.get().getAddress();
+        }
         
         RepositoryConfiguration configuration = new RepositoryConfiguration.RepositoryConfigurationBuilder()
                 .withAdminEmail(systemEmailLabel)
diff --git a/src/main/java/edu/harvard/iq/dataverse/settings/ConfigCheckService.java b/src/main/java/edu/harvard/iq/dataverse/settings/ConfigCheckService.java
index 7ca5fe04bcd..29a9d8956a3 100644
--- a/src/main/java/edu/harvard/iq/dataverse/settings/ConfigCheckService.java
+++ b/src/main/java/edu/harvard/iq/dataverse/settings/ConfigCheckService.java
@@ -1,17 +1,23 @@
 package edu.harvard.iq.dataverse.settings;
 
+import edu.harvard.iq.dataverse.MailServiceBean;
 import edu.harvard.iq.dataverse.pidproviders.PidUtil;
+import edu.harvard.iq.dataverse.settings.SettingsServiceBean.Key;
 import edu.harvard.iq.dataverse.util.FileUtil;
-
+import edu.harvard.iq.dataverse.util.MailSessionProducer;
 import jakarta.annotation.PostConstruct;
 import jakarta.ejb.DependsOn;
 import jakarta.ejb.Singleton;
 import jakarta.ejb.Startup;
+import jakarta.inject.Inject;
+import jakarta.mail.internet.InternetAddress;
+
 import java.io.IOException;
 import java.nio.file.FileSystemException;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.Map;
+import java.util.Optional;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
@@ -20,8 +26,12 @@
 @DependsOn({"StartupFlywayMigrator", "PidProviderFactoryBean"})
 public class ConfigCheckService {
     
-    
     private static final Logger logger = Logger.getLogger(ConfigCheckService.class.getCanonicalName());
+    
+    @Inject
+    MailSessionProducer mailSessionProducer;
+    @Inject
+    MailServiceBean mailService;
 
     public static class ConfigurationError extends RuntimeException {
         public ConfigurationError(String message) {
@@ -34,9 +44,10 @@ public void startup() {
         if (!checkSystemDirectories() || !checkPidProviders()) {
             throw new ConfigurationError("Not all configuration checks passed successfully. See logs above.");
         }
+        
+        // Only checks resulting in warnings, nothing critical that needs to stop deployment
+        checkSystemMailSetup();
     }
-    
-
 
     /**
      * In this method, we check the existence and write-ability of all important directories we use during
@@ -81,6 +92,37 @@ public boolean checkSystemDirectories() {
         }
         return success;
     }
+    
+    /**
+     * This method is not expected to make a deployment fail, but send out clear warning messages about missing or
+     * wrong configuration settings.
+     */
+    public void checkSystemMailSetup() {
+        // Check if a system mail setting has been provided or issue warning about disabled mail notifications
+        Optional<InternetAddress> mailAddress = mailService.getSystemAddress();
+        
+        // Not present -> warning
+        if (mailAddress.isEmpty()) {
+            logger.warning("Could not find a system mail setting in database (key :" + Key.SystemEmail + ", deprecated) or JVM option '" + JvmSettings.SYSTEM_EMAIL.getScopedKey() + "'");
+            logger.warning("Mail notifications and system messages are deactivated until you provide a configuration");
+        }
+        
+        // If there is an app server provided mail config, let's determine if the setup is matching
+        // TODO: when support for appserver provided mail session goes away, this code can be deleted
+        if (mailSessionProducer.hasSessionFromAppServer()) {
+            if (mailAddress.isEmpty()) {
+                logger.warning("Found a mail session provided by app server, but no system mail address (see logs above)");
+            // Check if the "from" in the session is the same as the system mail address (see issue 4210)
+            } else {
+                String sessionFrom = mailSessionProducer.getSession().getProperty("mail.from");
+                if (! mailAddress.get().toString().equals(sessionFrom)) {
+                    logger.warning(() -> String.format(
+                        "Found app server mail session provided 'from' (%s) does not match system mail setting (%s)",
+                        sessionFrom, mailAddress.get()));
+                }
+            }
+        }
+    }
 
     /**
      * Verifies that at least one PidProvider capable of editing/minting PIDs is
diff --git a/src/main/java/edu/harvard/iq/dataverse/settings/JvmSettings.java b/src/main/java/edu/harvard/iq/dataverse/settings/JvmSettings.java
index b92618dab89..524df1e1ce9 100644
--- a/src/main/java/edu/harvard/iq/dataverse/settings/JvmSettings.java
+++ b/src/main/java/edu/harvard/iq/dataverse/settings/JvmSettings.java
@@ -189,8 +189,18 @@ public enum JvmSettings {
     
     // MAIL SETTINGS
     SCOPE_MAIL(PREFIX, "mail"),
+    SYSTEM_EMAIL(SCOPE_MAIL, "system-email"),
     SUPPORT_EMAIL(SCOPE_MAIL, "support-email"),
     CC_SUPPORT_ON_CONTACT_EMAIL(SCOPE_MAIL, "cc-support-on-contact-email"),
+    MAIL_DEBUG(SCOPE_MAIL, "debug"),
+    // Mail Transfer Agent settings
+    SCOPE_MAIL_MTA(SCOPE_MAIL, "mta"),
+    MAIL_MTA_AUTH(SCOPE_MAIL_MTA, "auth"),
+    MAIL_MTA_USER(SCOPE_MAIL_MTA, "user"),
+    MAIL_MTA_PASSWORD(SCOPE_MAIL_MTA, "password"),
+    MAIL_MTA_SUPPORT_UTF8(SCOPE_MAIL_MTA, "allow-utf8-addresses"),
+    // Placeholder setting for a large list of extra settings
+    MAIL_MTA_SETTING(SCOPE_MAIL_MTA),
     
     // AUTH SETTINGS
     SCOPE_AUTH(PREFIX, "auth"),
diff --git a/src/main/java/edu/harvard/iq/dataverse/settings/SettingsServiceBean.java b/src/main/java/edu/harvard/iq/dataverse/settings/SettingsServiceBean.java
index 2d1667f0cc5..9888db84696 100644
--- a/src/main/java/edu/harvard/iq/dataverse/settings/SettingsServiceBean.java
+++ b/src/main/java/edu/harvard/iq/dataverse/settings/SettingsServiceBean.java
@@ -45,6 +45,7 @@ public class SettingsServiceBean {
      * over your shoulder when typing strings in various places of a large app. 
      * So there.
      */
+    @SuppressWarnings("java:S115")
     public enum Key {
         AllowApiTokenLookupViaApi,
         /**
@@ -263,7 +264,12 @@ public enum Key {
         /* the number of files the GUI user is allowed to upload in one batch, 
             via drag-and-drop, or through the file select dialog */
         MultipleUploadFilesLimit,
-        /* return email address for system emails such as notifications */
+        /**
+         * Return email address for system emails such as notifications
+         * @deprecated Please replace usages with {@link edu.harvard.iq.dataverse.MailServiceBean#getSystemAddress},
+         *             which is backward compatible with this setting.
+         */
+        @Deprecated(since = "6.2", forRemoval = true)
         SystemEmail, 
         /* size limit for Tabular data file ingests */
         /* (can be set separately for specific ingestable formats; in which 
diff --git a/src/main/java/edu/harvard/iq/dataverse/util/MailSessionProducer.java b/src/main/java/edu/harvard/iq/dataverse/util/MailSessionProducer.java
new file mode 100644
index 00000000000..149f92761d2
--- /dev/null
+++ b/src/main/java/edu/harvard/iq/dataverse/util/MailSessionProducer.java
@@ -0,0 +1,150 @@
+package edu.harvard.iq.dataverse.util;
+
+import edu.harvard.iq.dataverse.settings.JvmSettings;
+import jakarta.annotation.Resource;
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.enterprise.inject.Produces;
+import jakarta.inject.Named;
+import jakarta.mail.Authenticator;
+import jakarta.mail.PasswordAuthentication;
+import jakarta.mail.Session;
+
+import javax.naming.Context;
+import javax.naming.InitialContext;
+import javax.naming.NamingException;
+import java.util.List;
+import java.util.Properties;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import java.util.stream.Collectors;
+
+@ApplicationScoped
+public class MailSessionProducer {
+    
+    // NOTE: We do not allow "from" here, as we want the transport to get it from the message being sent, enabling
+    //       matching addresses. If "from" in transport and "from" in the message differ, some MTAs may reject or
+    //       classify as spam.
+    // NOTE: Complete list including descriptions at https://eclipse-ee4j.github.io/angus-mail/docs/api/org.eclipse.angus.mail/org/eclipse/angus/mail/smtp/package-summary.html
+    static final List<String> smtpStringProps = List.of(
+        "host", "localhost", "localaddress", "auth.mechanisms", "auth.ntlm.domain", "submitter", "dsn.notify", "dsn.ret",
+        "sasl.mechanisms", "sasl.authorizationid", "sasl.realm", "ssl.trust", "ssl.protocols", "ssl.ciphersuites",
+        "proxy.host", "proxy.port", "proxy.user", "proxy.password", "socks.host", "socks.port", "mailextension"
+    );
+    static final List<String> smtpIntProps = List.of(
+        "port", "connectiontimeout", "timeout", "writetimeout", "localport", "auth.ntlm.flag"
+    );
+    static final List<String> smtpBoolProps = List.of(
+        "auth", "ehlo", "auth.login.disable", "auth.plain.disable", "auth.digest-md5.disable", "auth.ntlm.disable",
+        "auth.xoauth2.disable", "allow8bitmime", "sendpartial", "sasl.enable", "sasl.usecanonicalhostname",
+        "quitwait", "quitonsessionreject", "ssl.enable", "ssl.checkserveridentity", "starttls.enable",
+        "starttls.required", "userset", "noop.strict"
+    );
+    
+    private static final String PREFIX = "mail.smtp.";
+    private static final Logger logger = Logger.getLogger(MailSessionProducer.class.getCanonicalName());
+    
+    static {
+        if (Boolean.TRUE.equals(JvmSettings.MAIL_DEBUG.lookup(Boolean.class))) {
+            logger.setLevel(Level.FINE);
+        }
+    }
+    
+    Session systemMailSession;
+    
+    /**
+     * Cache the application server provided (user defined) javamail resource to enable backwards compatibility.
+     * No direct JNDI lookup on the field to avoid deployment failures when not present.
+     * @deprecated This should be removed with the next major release of Dataverse, as it would be a breaking change.
+     */
+    @Deprecated(forRemoval = true, since = "6.2")
+    Session appserverProvidedSession;
+    
+    public MailSessionProducer() {
+        try {
+            // Do JNDI lookup of legacy mail session programmatically to avoid deployment errors when not found.
+            Context initialContext = new InitialContext();
+            this.appserverProvidedSession = (Session)initialContext.lookup("mail/notifyMailSession");
+        } catch (NamingException e) {
+            // This exception simply means the appserver did not provide the legacy mail session.
+            // Debug level output is just fine.
+            logger.log(Level.FINER, "Error during legacy appserver-level mail resource lookup", e);
+        }
+    }
+    
+    @Produces
+    @Named("mail/systemSession")
+    public Session getSession() {
+        //  For backward compatibility, prefer to return the mail resource configured on the appserver.
+        if (appserverProvidedSession != null) {
+            logger.warning("The configuration of mail transfer agents using asadmin create-javamail-resource is" +
+                " deprecated. Please migrate to using JVM options, see Dataverse guides for details");
+            return appserverProvidedSession;
+        }
+        
+        if (systemMailSession == null) {
+            logger.fine("Setting up new mail session");
+            
+            // Initialize with null (= no authenticator) is a valid argument for the session factory method.
+            Authenticator authenticator = null;
+            
+            // In case we want auth, create an authenticator (default = false from microprofile-config.properties)
+            if (Boolean.TRUE.equals(JvmSettings.MAIL_MTA_AUTH.lookup(Boolean.class))) {
+                logger.fine("Mail Authentication is enabled, building authenticator");
+                authenticator = new Authenticator() {
+                    @Override
+                    protected PasswordAuthentication getPasswordAuthentication() {
+                        logger.fine(() ->
+                            String.format("Returning PasswordAuthenticator with username='%s', password='%s'",
+                                JvmSettings.MAIL_MTA_USER.lookup(),
+                                "*".repeat(JvmSettings.MAIL_MTA_PASSWORD.lookup().length())));
+                        return new PasswordAuthentication(JvmSettings.MAIL_MTA_USER.lookup(), JvmSettings.MAIL_MTA_PASSWORD.lookup());
+                    }
+                };
+            }
+            
+            this.systemMailSession = Session.getInstance(getMailProperties(), authenticator);
+        }
+        return systemMailSession;
+    }
+    
+    Properties getMailProperties() {
+        Properties configuration = new Properties();
+        
+        // See https://jakarta.ee/specifications/mail/2.1/apidocs/jakarta.mail/jakarta/mail/package-summary
+        configuration.put("mail.transport.protocol", "smtp");
+        configuration.put("mail.debug", JvmSettings.MAIL_DEBUG.lookupOptional(Boolean.class).orElse(false).toString());
+        // Only enable if your MTA properly supports UTF-8 mail addresses following RFC 6530/6531/6532.
+        // Before, we used a hack to put the raw UTF-8 mail address into the system.
+        // Now, make it proper, but make it possible to disable it - see also EMailValidator.
+        // Default = true from microprofile-config.properties as most MTAs these days support SMTPUTF8 extension
+        configuration.put("mail.mime.allowutf8", JvmSettings.MAIL_MTA_SUPPORT_UTF8.lookup(Boolean.class).toString());
+        
+        // Map properties 1:1 to mail.smtp properties for the mail session.
+        smtpStringProps.forEach(
+            prop -> JvmSettings.MAIL_MTA_SETTING.lookupOptional(prop).ifPresent(
+                string -> configuration.put(PREFIX + prop, string)));
+        smtpBoolProps.forEach(
+            prop -> JvmSettings.MAIL_MTA_SETTING.lookupOptional(Boolean.class, prop).ifPresent(
+                bool -> configuration.put(PREFIX + prop, bool.toString())));
+        smtpIntProps.forEach(
+            prop -> JvmSettings.MAIL_MTA_SETTING.lookupOptional(Integer.class, prop).ifPresent(
+                number -> configuration.put(PREFIX + prop, number.toString())));
+        
+        logger.fine(() -> "Compiled properties:" + configuration.entrySet().stream()
+            .map(entry -> "\"" + entry.getKey() + "\": \"" + entry.getValue() + "\"")
+            .collect(Collectors.joining(",\n")));
+        
+        return configuration;
+    }
+    
+    /**
+     * Determine if the session returned by {@link #getSession()} has been provided by the application server
+     * @return True if injected as resource from app server, false otherwise
+     * @deprecated This is supposed to be removed when {@link #appserverProvidedSession} is removed.
+     */
+    @Deprecated(forRemoval = true, since = "6.2")
+    public boolean hasSessionFromAppServer() {
+        return this.appserverProvidedSession != null;
+    }
+    
+}
diff --git a/src/main/java/edu/harvard/iq/dataverse/util/MailUtil.java b/src/main/java/edu/harvard/iq/dataverse/util/MailUtil.java
index 0724e53700b..ccec3e5f09b 100644
--- a/src/main/java/edu/harvard/iq/dataverse/util/MailUtil.java
+++ b/src/main/java/edu/harvard/iq/dataverse/util/MailUtil.java
@@ -5,32 +5,14 @@
 import edu.harvard.iq.dataverse.DatasetVersion;
 import edu.harvard.iq.dataverse.UserNotification;
 import edu.harvard.iq.dataverse.branding.BrandingUtil;
-import static edu.harvard.iq.dataverse.settings.SettingsServiceBean.Key.SystemEmail;
 import java.util.Arrays;
 import java.util.List;
 import java.util.logging.Logger;
-import jakarta.mail.internet.AddressException;
-import jakarta.mail.internet.InternetAddress;
 
 public class MailUtil {
 
     private static final Logger logger = Logger.getLogger(MailUtil.class.getCanonicalName());
 
-    public static InternetAddress parseSystemAddress(String systemEmail) {
-        if (systemEmail != null) {
-            try {
-                InternetAddress parsedSystemEmail = new InternetAddress(systemEmail);
-                logger.fine("parsed system email: " + parsedSystemEmail);
-                return parsedSystemEmail;
-            } catch (AddressException ex) {
-                logger.info("Email will not be sent due to invalid value in " + SystemEmail + " setting: " + ex);
-                return null;
-            }
-        }
-        logger.fine("Email will not be sent because the " + SystemEmail + " setting is null.");
-        return null;
-    }
-
     public static String getSubjectTextBasedOnNotification(UserNotification userNotification, Object objectOfNotification) {
         List<String> rootDvNameAsList = Arrays.asList(BrandingUtil.getInstallationBrandName());
         String datasetDisplayName = "";
diff --git a/src/main/java/edu/harvard/iq/dataverse/validation/EMailValidator.java b/src/main/java/edu/harvard/iq/dataverse/validation/EMailValidator.java
index 624e49623f2..446f55a193f 100644
--- a/src/main/java/edu/harvard/iq/dataverse/validation/EMailValidator.java
+++ b/src/main/java/edu/harvard/iq/dataverse/validation/EMailValidator.java
@@ -1,5 +1,6 @@
 package edu.harvard.iq.dataverse.validation;
 
+import edu.harvard.iq.dataverse.settings.JvmSettings;
 import jakarta.validation.ConstraintValidator;
 import jakarta.validation.ConstraintValidatorContext;
 
@@ -10,7 +11,7 @@
  * @author skraffmi
  */
 public class EMailValidator implements ConstraintValidator<ValidateEmail, String> {
-
+    
     @Override
     public boolean isValid(String value, ConstraintValidatorContext context) {
         return isEmailValid(value);
@@ -23,6 +24,12 @@ public boolean isValid(String value, ConstraintValidatorContext context) {
      * @return true when valid, false when invalid (null = valid!)
      */
     public static boolean isEmailValid(String value) {
-        return value == null || EmailValidator.getInstance().isValid(value);
+        // Must be looked up here - otherwise changes are not picked up (tests, live config, ...)
+        final boolean mtaSupportsUTF8 = JvmSettings.MAIL_MTA_SUPPORT_UTF8.lookup(Boolean.class);
+        return value == null || (EmailValidator.getInstance().isValid(value) &&
+            // If the MTA isn't able to handle UTF-8 mail addresses following RFC 6530/6531/6532, we can only declare
+            // mail addresses using 7bit ASCII (RFC 821) as valid.
+            // Beyond scope for Apache Commons Validator, see also https://issues.apache.org/jira/browse/VALIDATOR-487
+            (value.codePoints().noneMatch(c -> c > 127) || mtaSupportsUTF8) );
     }
 }
diff --git a/src/main/resources/META-INF/javamail.default.address.map b/src/main/resources/META-INF/javamail.default.address.map
new file mode 100644
index 00000000000..b1115c9dc8c
--- /dev/null
+++ b/src/main/resources/META-INF/javamail.default.address.map
@@ -0,0 +1,2 @@
+# See https://jakartaee.github.io/mail-api/docs/api/jakarta.mail/jakarta/mail/Session.html
+rfc822=smtp
diff --git a/src/main/resources/META-INF/microprofile-config.properties b/src/main/resources/META-INF/microprofile-config.properties
index 56c0fe0ff0a..b0bc92cf975 100644
--- a/src/main/resources/META-INF/microprofile-config.properties
+++ b/src/main/resources/META-INF/microprofile-config.properties
@@ -42,6 +42,11 @@ dataverse.rserve.user=rserve
 dataverse.rserve.password=rserve
 dataverse.rserve.tempdir=/tmp/Rserv
 
+# MAIL
+dataverse.mail.debug=false
+dataverse.mail.mta.auth=false
+dataverse.mail.mta.allow-utf8-addresses=true
+
 # OAI SERVER
 dataverse.oai.server.maxidentifiers=100
 dataverse.oai.server.maxrecords=10
diff --git a/src/test/java/edu/harvard/iq/dataverse/MailServiceBeanIT.java b/src/test/java/edu/harvard/iq/dataverse/MailServiceBeanIT.java
new file mode 100644
index 00000000000..17dede5e9f3
--- /dev/null
+++ b/src/test/java/edu/harvard/iq/dataverse/MailServiceBeanIT.java
@@ -0,0 +1,143 @@
+package edu.harvard.iq.dataverse;
+
+import edu.harvard.iq.dataverse.branding.BrandingUtil;
+import edu.harvard.iq.dataverse.settings.JvmSettings;
+import edu.harvard.iq.dataverse.settings.SettingsServiceBean;
+import edu.harvard.iq.dataverse.util.MailSessionProducer;
+import edu.harvard.iq.dataverse.util.testing.JvmSetting;
+import edu.harvard.iq.dataverse.util.testing.LocalJvmSettings;
+import edu.harvard.iq.dataverse.util.testing.Tags;
+import io.restassured.RestAssured;
+import jakarta.mail.Session;
+import jakarta.mail.internet.AddressException;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Tag;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.MethodSource;
+import org.mockito.Mockito;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.testcontainers.containers.GenericContainer;
+import org.testcontainers.containers.wait.strategy.Wait;
+import org.testcontainers.junit.jupiter.Container;
+import org.testcontainers.junit.jupiter.Testcontainers;
+
+import java.util.List;
+
+import static io.restassured.RestAssured.given;
+import static org.hamcrest.CoreMatchers.equalTo;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+/**
+ * An integration test using a fake SMTP MTA to check for outgoing mails.
+ * LIMITATION: This test cannot possibly check if the production and injection of the session via CDI
+ *             works, as it is not running within a servlet container. This would require usage of Arquillian
+ *             or and end-to-end API test with a deployed application.
+ */
+
+@Tag(Tags.INTEGRATION_TEST)
+@Tag(Tags.USES_TESTCONTAINERS)
+@Testcontainers(disabledWithoutDocker = true)
+@ExtendWith(MockitoExtension.class)
+@LocalJvmSettings
+@JvmSetting(key = JvmSettings.MAIL_MTA_SETTING, method = "tcSmtpHost", varArgs = "host")
+@JvmSetting(key = JvmSettings.MAIL_MTA_SETTING, method = "tcSmtpPort", varArgs = "port")
+class MailServiceBeanIT {
+    
+    private static final Integer PORT_SMTP = 1025;
+    private static final Integer PORT_HTTP = 1080;
+    
+    static MailServiceBean mailer;
+    static Session session;
+    static SettingsServiceBean settingsServiceBean = Mockito.mock(SettingsServiceBean.class);
+    static DataverseServiceBean dataverseServiceBean = Mockito.mock(DataverseServiceBean.class);
+    
+    @BeforeAll
+    static void setUp() {
+        // Setup mocks behavior, inject as deps
+        Mockito.when(settingsServiceBean.getValueForKey(SettingsServiceBean.Key.SystemEmail)).thenReturn("noreply@example.org");
+        BrandingUtil.injectServices(dataverseServiceBean, settingsServiceBean);
+        
+        // Must happen here, as we need Testcontainers to start the container first...
+        session = new MailSessionProducer().getSession();
+        mailer = new MailServiceBean(session, settingsServiceBean);
+    }
+    
+    /*
+        Cannot use maildev/maildev here. Also MailCatcher doesn't provide official support for SMTPUTF8.
+        Also maildev does advertise the feature and everything is fine over the wire, both JSON API and Web UI
+        of maildev have an encoding problem - UTF-8 mail addresses following RFC 6530/6531/6532 are botched.
+        Neither MailCatcher nor MailHog have this problem, yet the API of MailCatcher is much simpler
+        to use during testing, which is why we are going with it.
+     */
+    @Container
+    static GenericContainer<?> maildev = new GenericContainer<>("dockage/mailcatcher")
+        .withExposedPorts(PORT_HTTP, PORT_SMTP)
+        .waitingFor(Wait.forHttp("/"));
+    
+    static String tcSmtpHost() {
+        return maildev.getHost();
+    }
+    
+    static String tcSmtpPort() {
+        return maildev.getMappedPort(PORT_SMTP).toString();
+    }
+    
+    @BeforeAll
+    static void setup() {
+        RestAssured.baseURI = "http://" + tcSmtpHost();
+        RestAssured.port = maildev.getMappedPort(PORT_HTTP);
+    }
+    
+    static List<String> mailTo() {
+        return List.of(
+            "pete@mailinator.com", // one example using ASCII only, make sure it works
+            "michélle.pereboom@example.com",
+            "begüm.vriezen@example.com",
+            "lótus.gonçalves@example.com",
+            "lótus.gonçalves@éxample.com",
+            "begüm.vriezen@example.cologne",
+            "رونیکا.محمدخان@example.com",
+            "lótus.gonçalves@example.cóm"
+        );
+    }
+    
+    @ParameterizedTest
+    @MethodSource("mailTo")
+    @JvmSetting(key = JvmSettings.MAIL_MTA_SUPPORT_UTF8, value = "true")
+    void sendEmailIncludingUTF8(String mailAddress) {
+        given().when().get("/messages")
+            .then()
+            .statusCode(200);
+        
+        // given
+        Session session = new MailSessionProducer().getSession();
+        MailServiceBean mailer = new MailServiceBean(session, settingsServiceBean);
+        
+        // when
+        boolean sent = mailer.sendSystemEmail(mailAddress, "Test", "Test üüü", false);
+        
+        // then
+        assertTrue(sent);
+        //RestAssured.get("/messages").body().prettyPrint();
+        given().when().get("/messages")
+            .then()
+            .statusCode(200)
+            .body("last().recipients.first()", equalTo("<" + mailAddress + ">"));
+    }
+    
+    @Test
+    @JvmSetting(key = JvmSettings.SYSTEM_EMAIL, value = "test@example.org")
+    @JvmSetting(key = JvmSettings.MAIL_MTA_SUPPORT_UTF8, value = "false")
+    void mailRejectedWhenUTF8AddressButNoSupport() throws AddressException {
+        // given
+        Session session = new MailSessionProducer().getSession();
+        MailServiceBean mailer = new MailServiceBean(session, settingsServiceBean);
+        String to = "michélle.pereboom@example.com";
+        
+        assertFalse(mailer.sendSystemEmail(to, "Test", "Test", false));
+    }
+    
+}
\ No newline at end of file
diff --git a/src/test/java/edu/harvard/iq/dataverse/MailServiceBeanTest.java b/src/test/java/edu/harvard/iq/dataverse/MailServiceBeanTest.java
index 32bf9702ee7..afcc12949d6 100644
--- a/src/test/java/edu/harvard/iq/dataverse/MailServiceBeanTest.java
+++ b/src/test/java/edu/harvard/iq/dataverse/MailServiceBeanTest.java
@@ -1,56 +1,151 @@
 package edu.harvard.iq.dataverse;
 
 import edu.harvard.iq.dataverse.branding.BrandingUtilTest;
-import edu.harvard.iq.dataverse.util.MailUtil;
+import edu.harvard.iq.dataverse.settings.JvmSettings;
+import edu.harvard.iq.dataverse.settings.SettingsServiceBean;
+import edu.harvard.iq.dataverse.util.testing.JvmSetting;
+import edu.harvard.iq.dataverse.util.testing.LocalJvmSettings;
+import jakarta.mail.internet.AddressException;
+import jakarta.mail.internet.InternetAddress;
 import org.junit.jupiter.api.AfterAll;
 import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Nested;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.CsvSource;
-
-import jakarta.mail.internet.InternetAddress;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.Mockito;
+import org.mockito.junit.jupiter.MockitoExtension;
 
 import java.io.UnsupportedEncodingException;
 
+import static edu.harvard.iq.dataverse.settings.SettingsServiceBean.Key;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
+@ExtendWith(MockitoExtension.class)
 class MailServiceBeanTest {
     
-    
-    /**
-     * We need to reset the BrandingUtil mocks for every test, as we rely on them being set to default.
-     */
-    @BeforeEach
-    private void setup() {
-        BrandingUtilTest.setupMocks();
+    @Nested
+    class Delegation {
+        /**
+         * We need to reset the BrandingUtil mocks for every test, as we rely on them being set to default.
+         */
+        @BeforeEach
+        void setup() {
+            BrandingUtilTest.setupMocks();
+        }
+        @AfterAll
+        static void tearDown() {
+            BrandingUtilTest.tearDownMocks();
+        }
+        
+        @ParameterizedTest
+        @CsvSource(value  = {
+            // with name in admin mail address
+            "Foo Bar <foo@bar.org>, NULL, NULL, Foo Bar",
+            // without name, but installation branding name set
+            "dataverse@dataverse.org, NULL, LibraScholar Dataverse, LibraScholar Dataverse",
+            // without name, but root dataverse name available
+            "dataverse@dataverse.org, NotLibraScholar, NULL, NotLibraScholar",
+            // without name, without root dataverse name, without installation name -> default to bundle string.
+            "dataverse@dataverse.org, NULL, NULL, Dataverse Installation Admin"
+        }, nullValues = {"NULL"})
+        void setContactDelegation(String fromMail, String rootDataverseName, String installationName, String expectedStartsWith) throws AddressException {
+            BrandingUtilTest.setRootDataverseName(rootDataverseName);
+            BrandingUtilTest.setInstallationName(installationName);
+            
+            InternetAddress fromAddress = new InternetAddress(fromMail);
+            MailServiceBean mailServiceBean = new MailServiceBean();
+            try {
+                mailServiceBean.setContactDelegation("user@example.edu", fromAddress);
+                assertTrue(fromAddress.getPersonal().startsWith(expectedStartsWith));
+                assertTrue(fromAddress.getPersonal().endsWith(" on behalf of user@example.edu"));
+            } catch (UnsupportedEncodingException e) {
+                e.printStackTrace();
+            }
+        }
     }
-    @AfterAll
-    private static void tearDown() {
-        BrandingUtilTest.tearDownMocks();
+    
+    @Nested
+    @LocalJvmSettings
+    class LookupMailAddresses {
+        
+        @Mock
+        SettingsServiceBean settingsServiceBean;
+        
+        @InjectMocks
+        MailServiceBean mailServiceBean = new MailServiceBean();
+        
+        private static final String email = "test@example.org";
+        
+        @Test
+        void lookupSystemWithoutAnySetting() {
+            assertTrue(mailServiceBean.getSystemAddress().isEmpty());
+        }
+        
+        @Test
+        void lookupSystemWithDBOnly() {
+            Mockito.when(settingsServiceBean.getValueForKey(Key.SystemEmail)).thenReturn(email);
+            assertEquals(email, mailServiceBean.getSystemAddress().get().getAddress());
+        }
+        
+        @Test
+        @JvmSetting(key = JvmSettings.SYSTEM_EMAIL, value = email)
+        void lookupSystemWithMPConfig() {
+            assertEquals(email, mailServiceBean.getSystemAddress().get().getAddress());
+        }
+        
+        @Test
+        @JvmSetting(key = JvmSettings.SYSTEM_EMAIL, value = email)
+        void lookupSystemWhereMPConfigTakesPrecedenceOverDB() {
+            Mockito.lenient().when(settingsServiceBean.getValueForKey(Key.SystemEmail)).thenReturn("foobar@example.org");
+            assertEquals(email, mailServiceBean.getSystemAddress().get().getAddress());
+        }
+        
+        @Test
+        void lookupSupportWithoutAnySetting() {
+            assertTrue(mailServiceBean.getSupportAddress().isEmpty());
+        }
+        
+        @Test
+        @JvmSetting(key = JvmSettings.SYSTEM_EMAIL, value = email)
+        void lookupSupportNotSetButWithSystemPresent() {
+            assertEquals(email, mailServiceBean.getSupportAddress().get().getAddress());
+        }
+        
+        @Test
+        @JvmSetting(key = JvmSettings.SUPPORT_EMAIL, value = email)
+        void lookupSupportWithoutSystemSet() {
+            assertTrue(mailServiceBean.getSystemAddress().isEmpty());
+            assertEquals(email, mailServiceBean.getSupportAddress().get().getAddress());
+        }
+        
+        @Test
+        @JvmSetting(key = JvmSettings.SYSTEM_EMAIL, value = email)
+        @JvmSetting(key = JvmSettings.SUPPORT_EMAIL, value = "support@example.org")
+        void lookupSupportSetWithSystemPresent() {
+            assertEquals(email, mailServiceBean.getSystemAddress().get().getAddress());
+            assertEquals("support@example.org", mailServiceBean.getSupportAddress().get().getAddress());
+        }
     }
     
-    @ParameterizedTest
-    @CsvSource(value  = {
-        // with name in admin mail address
-        "Foo Bar <foo@bar.org>, NULL, NULL, Foo Bar",
-        // without name, but installation branding name set
-        "dataverse@dataverse.org, NULL, LibraScholar Dataverse, LibraScholar Dataverse",
-        // without name, but root dataverse name available
-        "dataverse@dataverse.org, NotLibraScholar, NULL, NotLibraScholar",
-        // without name, without root dataverse name, without installation name -> default to bundle string.
-        "dataverse@dataverse.org, NULL, NULL, Dataverse Installation Admin"
-    }, nullValues = {"NULL"})
-    void setContactDelegation(String fromMail, String rootDataverseName, String installationName, String expectedStartsWith) {
-        BrandingUtilTest.setRootDataverseName(rootDataverseName);
-        BrandingUtilTest.setInstallationName(installationName);
-        
-        InternetAddress fromAddress = MailUtil.parseSystemAddress(fromMail);
+    @Nested
+    @LocalJvmSettings
+    class SendSystemMail {
+        @Mock
+        SettingsServiceBean settingsServiceBean;
+        @InjectMocks
         MailServiceBean mailServiceBean = new MailServiceBean();
-        try {
-            mailServiceBean.setContactDelegation("user@example.edu", fromAddress);
-            assertTrue(fromAddress.getPersonal().startsWith(expectedStartsWith));
-            assertTrue(fromAddress.getPersonal().endsWith(" on behalf of user@example.edu"));
-        } catch (UnsupportedEncodingException e) {
-            e.printStackTrace();
+        
+        @Test
+        @JvmSetting(key = JvmSettings.SYSTEM_EMAIL, value = "")
+        void skipIfNoSystemAddress() {
+            assertFalse(mailServiceBean.sendSystemEmail("target@example.org", "Test", "Test", false));
         }
     }
+    
 }
\ No newline at end of file
diff --git a/src/test/java/edu/harvard/iq/dataverse/branding/BrandingUtilTest.java b/src/test/java/edu/harvard/iq/dataverse/branding/BrandingUtilTest.java
index 2b526b8a449..0a6d89ed490 100644
--- a/src/test/java/edu/harvard/iq/dataverse/branding/BrandingUtilTest.java
+++ b/src/test/java/edu/harvard/iq/dataverse/branding/BrandingUtilTest.java
@@ -41,8 +41,8 @@ public static void setupMocks() {
         BrandingUtil.injectServices(dataverseSvc, settingsSvc);
         
         // initial values (needed here for other tests where this method is reused!)
-        Mockito.when(settingsSvc.getValueForKey(SettingsServiceBean.Key.InstallationName)).thenReturn(DEFAULT_NAME);
-        Mockito.when(dataverseSvc.getRootDataverseName()).thenReturn(DEFAULT_NAME);
+        Mockito.lenient().when(settingsSvc.getValueForKey(SettingsServiceBean.Key.InstallationName)).thenReturn(DEFAULT_NAME);
+        Mockito.lenient().when(dataverseSvc.getRootDataverseName()).thenReturn(DEFAULT_NAME);
     }
     
     /**
@@ -50,7 +50,7 @@ public static void setupMocks() {
      * @param installationName
      */
     public static void setInstallationName(String installationName) {
-        Mockito.when(settingsSvc.getValueForKey(SettingsServiceBean.Key.InstallationName)).thenReturn(installationName);
+        Mockito.lenient().when(settingsSvc.getValueForKey(SettingsServiceBean.Key.InstallationName)).thenReturn(installationName);
     }
     
     /**
@@ -58,7 +58,7 @@ public static void setInstallationName(String installationName) {
      * @param rootDataverseName
      */
     public static void setRootDataverseName(String rootDataverseName) {
-        Mockito.when(dataverseSvc.getRootDataverseName()).thenReturn(rootDataverseName);
+        Mockito.lenient().when(dataverseSvc.getRootDataverseName()).thenReturn(rootDataverseName);
     }
     
     /**
diff --git a/src/test/java/edu/harvard/iq/dataverse/util/MailSessionProducerIT.java b/src/test/java/edu/harvard/iq/dataverse/util/MailSessionProducerIT.java
new file mode 100644
index 00000000000..29b6598b1a9
--- /dev/null
+++ b/src/test/java/edu/harvard/iq/dataverse/util/MailSessionProducerIT.java
@@ -0,0 +1,270 @@
+package edu.harvard.iq.dataverse.util;
+
+import edu.harvard.iq.dataverse.DataverseServiceBean;
+import edu.harvard.iq.dataverse.MailServiceBean;
+import edu.harvard.iq.dataverse.branding.BrandingUtil;
+import edu.harvard.iq.dataverse.branding.BrandingUtilTest;
+import edu.harvard.iq.dataverse.settings.JvmSettings;
+import edu.harvard.iq.dataverse.settings.SettingsServiceBean;
+import edu.harvard.iq.dataverse.util.testing.JvmSetting;
+import edu.harvard.iq.dataverse.util.testing.LocalJvmSettings;
+import edu.harvard.iq.dataverse.util.testing.Tags;
+import io.restassured.RestAssured;
+import jakarta.mail.Session;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Nested;
+import org.junit.jupiter.api.Tag;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mockito;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.testcontainers.containers.GenericContainer;
+import org.testcontainers.containers.wait.strategy.Wait;
+import org.testcontainers.junit.jupiter.Container;
+import org.testcontainers.junit.jupiter.Testcontainers;
+import org.testcontainers.utility.MountableFile;
+
+import java.util.Map;
+
+import static io.restassured.RestAssured.given;
+import static org.hamcrest.CoreMatchers.equalTo;
+import static org.hamcrest.CoreMatchers.is;
+import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+/**
+ * An integration test using a fake SMTP MTA to check for outgoing mails.
+ * LIMITATION: This test cannot possibly check if the production and injection of the session via CDI
+ *             works, as it is not running within a servlet container. This would require usage of Arquillian
+ *             or and end-to-end API test with a deployed application.
+ */
+
+@Tag(Tags.INTEGRATION_TEST)
+@Tag(Tags.USES_TESTCONTAINERS)
+@Testcontainers(disabledWithoutDocker = true)
+@ExtendWith(MockitoExtension.class)
+@LocalJvmSettings
+@JvmSetting(key = JvmSettings.SYSTEM_EMAIL, value = "test@test.com")
+class MailSessionProducerIT {
+    
+    private static final Integer PORT_SMTP = 1025;
+    private static final Integer PORT_HTTP = 1080;
+    
+    static SettingsServiceBean settingsServiceBean = Mockito.mock(SettingsServiceBean.class);;
+    static DataverseServiceBean dataverseServiceBean = Mockito.mock(DataverseServiceBean.class);;
+    
+    /**
+     * We need to reset the BrandingUtil mocks for every test, as we rely on them being set to default.
+     */
+    @BeforeAll
+    static void setUp() {
+        // Setup mocks behavior, inject as deps
+        BrandingUtil.injectServices(dataverseServiceBean, settingsServiceBean);
+    }
+    @AfterAll
+    static void tearDown() {
+        BrandingUtilTest.tearDownMocks();
+    }
+    
+    @Nested
+    @LocalJvmSettings
+    @JvmSetting(key = JvmSettings.MAIL_MTA_SETTING, method = "tcSmtpHost", varArgs = "host")
+    @JvmSetting(key = JvmSettings.MAIL_MTA_SETTING, method = "tcSmtpPort", varArgs = "port")
+    class WithoutAuthentication {
+        @Container
+        static GenericContainer<?> maildev = new GenericContainer<>("maildev/maildev:2.1.0")
+            .withExposedPorts(PORT_HTTP, PORT_SMTP)
+            .waitingFor(Wait.forHttp("/"));
+        
+        static String tcSmtpHost() {
+            return maildev.getHost();
+        }
+        
+        static String tcSmtpPort() {
+            return maildev.getMappedPort(PORT_SMTP).toString();
+        }
+        
+        @BeforeAll
+        static void setup() {
+            RestAssured.baseURI = "http://" + tcSmtpHost();
+            RestAssured.port = maildev.getMappedPort(PORT_HTTP);
+        }
+        
+        @Test
+        void createSession() {
+            given().when().get("/email")
+                .then()
+                .statusCode(200)
+                .body("size()", is(0));
+            
+            // given
+            Session session = new MailSessionProducer().getSession();
+            MailServiceBean mailer = new MailServiceBean(session, settingsServiceBean);
+            
+            // when
+            boolean sent = mailer.sendSystemEmail("test@example.org", "Test", "Test", false);
+            
+            // then
+            assertTrue(sent);
+            //RestAssured.get("/email").body().prettyPrint();
+            given().when().get("/email")
+                .then()
+                .statusCode(200)
+                .body("size()", is(1))
+                .body("[0].subject", equalTo("Test"));
+        }
+        
+    }
+    
+    @Nested
+    @LocalJvmSettings
+    @JvmSetting(key = JvmSettings.MAIL_MTA_SETTING, method = "tcSmtpHost", varArgs = "host")
+    @JvmSetting(key = JvmSettings.MAIL_MTA_SETTING, method = "tcSmtpPort", varArgs = "port")
+    @JvmSetting(key = JvmSettings.MAIL_MTA_SETTING, varArgs = "ssl.enable", value = "true")
+    @JvmSetting(key = JvmSettings.MAIL_MTA_SETTING, varArgs = "ssl.trust", value = "*")
+    class WithSSLWithoutAuthentication {
+        @Container
+        static GenericContainer<?> maildev = new GenericContainer<>("maildev/maildev:2.1.0")
+            .withCopyFileToContainer(MountableFile.forClasspathResource("mail/cert.pem"), "/cert.pem")
+            .withCopyFileToContainer(MountableFile.forClasspathResource("mail/key.pem"), "/key.pem")
+            .withExposedPorts(PORT_HTTP, PORT_SMTP)
+            .withEnv(Map.of(
+                "MAILDEV_INCOMING_SECURE", "true",
+                "MAILDEV_INCOMING_CERT", "/cert.pem",
+                "MAILDEV_INCOMING_KEY", "/key.pem"
+            ))
+            .waitingFor(Wait.forHttp("/"));
+        
+        static String tcSmtpHost() {
+            return maildev.getHost();
+        }
+        
+        static String tcSmtpPort() {
+            return maildev.getMappedPort(PORT_SMTP).toString();
+        }
+        
+        @BeforeAll
+        static void setup() {
+            RestAssured.baseURI = "http://" + tcSmtpHost();
+            RestAssured.port = maildev.getMappedPort(PORT_HTTP);
+        }
+        
+        @Test
+        void createSession() {
+            given().when().get("/email")
+                .then()
+                .statusCode(200)
+                .body("size()", is(0));
+            
+            // given
+            Session session = new MailSessionProducer().getSession();
+            MailServiceBean mailer = new MailServiceBean(session, settingsServiceBean);
+            
+            // when
+            boolean sent = mailer.sendSystemEmail("test@example.org", "Test", "Test", false);
+            
+            // then
+            assertTrue(sent);
+            //RestAssured.get("/email").body().prettyPrint();
+            given().when().get("/email")
+                .then()
+                .statusCode(200)
+                .body("size()", is(1))
+                .body("[0].subject", equalTo("Test"));
+        }
+        
+    }
+    
+    static final String username = "testuser";
+    static final String password = "supersecret";
+    
+    @Nested
+    @LocalJvmSettings
+    @JvmSetting(key = JvmSettings.MAIL_MTA_SETTING, method = "tcSmtpHost", varArgs = "host")
+    @JvmSetting(key = JvmSettings.MAIL_MTA_SETTING, method = "tcSmtpPort", varArgs = "port")
+    @JvmSetting(key = JvmSettings.MAIL_MTA_AUTH, value = "yes")
+    @JvmSetting(key = JvmSettings.MAIL_MTA_USER, value = username)
+    @JvmSetting(key = JvmSettings.MAIL_MTA_PASSWORD, value = password)
+    class WithAuthentication {
+        @Container
+        static GenericContainer<?> maildev = new GenericContainer<>("maildev/maildev:2.1.0")
+            .withExposedPorts(PORT_HTTP, PORT_SMTP)
+            .withEnv(Map.of(
+                "MAILDEV_INCOMING_USER", username,
+                "MAILDEV_INCOMING_PASS", password
+            ))
+            .waitingFor(Wait.forHttp("/"));
+        
+        static String tcSmtpHost() {
+            return maildev.getHost();
+        }
+        
+        static String tcSmtpPort() {
+            return maildev.getMappedPort(PORT_SMTP).toString();
+        }
+        
+        @BeforeAll
+        static void setup() {
+            RestAssured.baseURI = "http://" + tcSmtpHost();
+            RestAssured.port = maildev.getMappedPort(PORT_HTTP);
+        }
+        
+        @Test
+        void createSession() {
+            given().when().get("/email")
+                .then()
+                .statusCode(200)
+                .body("size()", is(0));
+            
+            // given
+            Session session = new MailSessionProducer().getSession();
+            MailServiceBean mailer = new MailServiceBean(session, settingsServiceBean);
+            
+            // when
+            boolean sent = mailer.sendSystemEmail("test@example.org", "Test", "Test", false);
+            
+            // then
+            assertTrue(sent);
+            //RestAssured.get("/email").body().prettyPrint();
+            given().when().get("/email")
+                .then()
+                .statusCode(200)
+                .body("size()", is(1))
+                .body("[0].subject", equalTo("Test"));
+        }
+        
+    }
+    
+    @Nested
+    @LocalJvmSettings
+    class InvalidConfiguration {
+        @Test
+        @JvmSetting(key = JvmSettings.MAIL_MTA_SETTING, value = "1234", varArgs = "invalid")
+        void invalidConfigItemsAreIgnoredOnSessionBuild() {
+            assertDoesNotThrow(() -> new MailSessionProducer().getSession());
+            
+            Session mailSession = new MailSessionProducer().getSession();
+            MailServiceBean mailer = new MailServiceBean(mailSession, settingsServiceBean);
+            assertFalse(mailer.sendSystemEmail("test@example.org", "Test", "Test", false));
+        }
+        
+        @Test
+        @JvmSetting(key = JvmSettings.MAIL_MTA_SETTING, value = "foobar", varArgs = "host")
+        void invalidHostnameIsFailingWhenSending() {
+            assertDoesNotThrow(() -> new MailSessionProducer().getSession());
+            
+            Session mailSession = new MailSessionProducer().getSession();
+            MailServiceBean mailer = new MailServiceBean(mailSession, settingsServiceBean);
+            assertFalse(mailer.sendSystemEmail("test@example.org", "Test", "Test", false));
+        }
+        
+        @Test
+        @JvmSetting(key = JvmSettings.MAIL_MTA_SETTING, varArgs = "port" , value = "foobar")
+        void invalidPortWithLetters() {
+            assertThrows(IllegalArgumentException.class, () -> new MailSessionProducer().getSession());
+        }
+    }
+}
\ No newline at end of file
diff --git a/src/test/java/edu/harvard/iq/dataverse/util/MailUtilTest.java b/src/test/java/edu/harvard/iq/dataverse/util/MailUtilTest.java
index 205b1f0bfcf..0756c4650fb 100644
--- a/src/test/java/edu/harvard/iq/dataverse/util/MailUtilTest.java
+++ b/src/test/java/edu/harvard/iq/dataverse/util/MailUtilTest.java
@@ -33,6 +33,7 @@ public void setUp() {
 
     }
 
+    /*
     @Test
     public void testParseSystemAddress() {
         assertEquals("support@librascholar.edu", MailUtil.parseSystemAddress("support@librascholar.edu").getAddress());
@@ -46,6 +47,7 @@ public void testParseSystemAddress() {
         assertEquals(null, MailUtil.parseSystemAddress("\"LibraScholar Support Team <support@librascholar.edu>"));
         assertEquals(null, MailUtil.parseSystemAddress("support1@dataverse.org, support@librascholar.edu"));
     }
+    */
 
     @Test
     @Order(1)
diff --git a/src/test/java/edu/harvard/iq/dataverse/validation/EMailValidatorTest.java b/src/test/java/edu/harvard/iq/dataverse/validation/EMailValidatorTest.java
index 0cbc9e52759..614cdae2310 100644
--- a/src/test/java/edu/harvard/iq/dataverse/validation/EMailValidatorTest.java
+++ b/src/test/java/edu/harvard/iq/dataverse/validation/EMailValidatorTest.java
@@ -1,5 +1,8 @@
 package edu.harvard.iq.dataverse.validation;
 
+import edu.harvard.iq.dataverse.settings.JvmSettings;
+import edu.harvard.iq.dataverse.util.testing.JvmSetting;
+import edu.harvard.iq.dataverse.util.testing.LocalJvmSettings;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.MethodSource;
@@ -14,7 +17,8 @@
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
-public class EMailValidatorTest {
+@LocalJvmSettings
+class EMailValidatorTest {
 
     private final Validator validator = Validation.buildDefaultValidatorFactory().getValidator();
     
@@ -82,4 +86,27 @@ public void testConstraint(boolean expected, String mail) {
         violations.stream().findFirst().ifPresent( c -> {
             assertTrue(c.getMessage().contains(mail)); });
     }
+    
+    public static Stream<Arguments> emailAsciiUtf8Examples() {
+        return Stream.of(
+            Arguments.of("false", "pete@mailinator.com"),
+            Arguments.of("false", "foobar@mail.science"),
+            Arguments.of("true", "lótus.gonçalves@éxample.com"),
+            Arguments.of("true", "begüm.vriezen@example.cologne")
+        );
+    }
+    
+    @ParameterizedTest
+    @MethodSource("emailAsciiUtf8Examples")
+    @JvmSetting(key = JvmSettings.MAIL_MTA_SUPPORT_UTF8, value = "false")
+    void validateWhenMTADoesNotSupportUTF8(boolean needsUTF8Support, String mail) {
+        assertEquals(!needsUTF8Support, EMailValidator.isEmailValid(mail));
+    }
+    
+    @ParameterizedTest
+    @MethodSource("emailAsciiUtf8Examples")
+    @JvmSetting(key = JvmSettings.MAIL_MTA_SUPPORT_UTF8, value = "true")
+    void validateWhenMTASupportsUTF8(boolean needsUTF8Support, String mail) {
+        assertTrue(EMailValidator.isEmailValid(mail));
+    }
 }
diff --git a/src/test/resources/mail/cert.pem b/src/test/resources/mail/cert.pem
new file mode 100644
index 00000000000..6115183d413
--- /dev/null
+++ b/src/test/resources/mail/cert.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEFTCCAv0CFAIjr/AvBVg4EX5/rk5+eFdfsquOMA0GCSqGSIb3DQEBCwUAMIHG
+MQswCQYDVQQGEwJEVjEaMBgGA1UECAwRRGF0YXZlcnNlIENvdW50cnkxFzAVBgNV
+BAcMDkRhdGF2ZXJzZSBDaXR5MS4wLAYDVQQKDCVHbG9iYWwgRGF0YXZlcnNlIENv
+bW11bml0eSBDb25zb3J0aXVtMRswGQYDVQQLDBJUZXN0aW5nIERlcGFydG1lbnQx
+FDASBgNVBAMMC2V4YW1wbGUub3JnMR8wHQYJKoZIhvcNAQkBFhB0ZXN0QGV4YW1w
+bGUub3JnMB4XDTI0MDIyMDA3MTkxOVoXDTM0MDIxNzA3MTkxOVowgcYxCzAJBgNV
+BAYTAkRWMRowGAYDVQQIDBFEYXRhdmVyc2UgQ291bnRyeTEXMBUGA1UEBwwORGF0
+YXZlcnNlIENpdHkxLjAsBgNVBAoMJUdsb2JhbCBEYXRhdmVyc2UgQ29tbXVuaXR5
+IENvbnNvcnRpdW0xGzAZBgNVBAsMElRlc3RpbmcgRGVwYXJ0bWVudDEUMBIGA1UE
+AwwLZXhhbXBsZS5vcmcxHzAdBgkqhkiG9w0BCQEWEHRlc3RAZXhhbXBsZS5vcmcw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzQ55QKM/sVJMb9c5MKtc/
+YW3+MlCrCnGlo42DCjl6noZg8Gji4dOEMo29UcRtYqhOsx7HOXZ5ulj3YKiBfzht
++QV/ZofhMIN9F/N5XCi4MRPorFz+mPck5NDzH1SqYn5zGm5APPqFJlwBWxDKEfqe
+6ir5gG91MzHHuJJSQq3nrSDq+/DXRwg/7L2O7da6pBqti7nYU0T5ql88nddkRhR8
+7NdeZndI+UVmkcnal/3ZpybW8ZNzpiP8nCJO3ASz9kXRC3cITS0zgKxl6USDZs+8
+NAM6R0r8icB89L+i8bOfbyU7nkN9T+xUTTOmalSmsYrMIedIBmcB7NuqbXPLEpeJ
+AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAA4U/uhswbeJB0gX4vfVqYf30A131Rvu
+J4eaVrVLzuByP1R0MvbBCMMYZBlDVDhiFqRh4KdoVWBvTfxf/4McYZ1FhXkgRlOb
+mv/mxVBqnXEu5msviApYmoLzMqgd91F3T4CWs66QIWVTJYh2McRKLG0+IfGp3aox
+YKC/W2RPsUO2fKFnUDkYetXMuWg1KJYKuqE6u2lcoV3uHFphXplClnlwN+IwtWWY
+cgfNBBRpwx6RXTk2XXgpCKYRBthBu1rowp7qiAwX7R5am6wDx0EIbevfR32bDReX
+oAV8c9soJWwAUwH63jqq7KTO8Dg1oGHveZMk4HHGkCqZeGCjbDPaak4=
+-----END CERTIFICATE-----
diff --git a/src/test/resources/mail/key.pem b/src/test/resources/mail/key.pem
new file mode 100644
index 00000000000..84d34efdce8
--- /dev/null
+++ b/src/test/resources/mail/key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCzQ55QKM/sVJMb
+9c5MKtc/YW3+MlCrCnGlo42DCjl6noZg8Gji4dOEMo29UcRtYqhOsx7HOXZ5ulj3
+YKiBfzht+QV/ZofhMIN9F/N5XCi4MRPorFz+mPck5NDzH1SqYn5zGm5APPqFJlwB
+WxDKEfqe6ir5gG91MzHHuJJSQq3nrSDq+/DXRwg/7L2O7da6pBqti7nYU0T5ql88
+nddkRhR87NdeZndI+UVmkcnal/3ZpybW8ZNzpiP8nCJO3ASz9kXRC3cITS0zgKxl
+6USDZs+8NAM6R0r8icB89L+i8bOfbyU7nkN9T+xUTTOmalSmsYrMIedIBmcB7Nuq
+bXPLEpeJAgMBAAECggEAQ3h3TQ9XVslsRxFIsLVNJ49JoWuZng7DwIai3AfMo4Cn
+7jN+HqrFfBO08mUkq9D+rQRQ2MYhd+Zx1sXcFkVmXUnlTlKuYMzsKHiLzIkp0E20
+gxXguHilSI8Qr/kCWlDQ7AyuI2JwHg5WgbIfSxbiP86+FwNGsBNxMI0hEXIEV1ZY
+OFXO6AWO63D4zwbwMT30k8cjfyjGvjEtoGmjnBJcrJLSADCIWLcFCw+Cm8vcRkCd
+BEpfRzeEos/NVdOqCpi1ea3OkGAY94mXxz6gaFRbeJFj9b6st7oVZLBOiMx1eafH
+hgB9JkfVtDogl9B13MkqRN8WAiOgAjIo2Ukq8x1ZkwKBgQD88sdh8k1eldO9UXG1
+BjEsB2mEnzp1hvjuRlMQtnvOjDakbqozzbNQlq9YJxocphLyUPM/BKTsIGp0SPpd
+vo0lgspDJ5eLnHd/Xf/guYvKg90NsHZR6V7hf9Z4JcrwrwvXpf7Lp/m95Jwd930j
+/kPXw25gRFmpJ8Q9ciIk0PF0NwKBgQC1bUTK8iarZHhDGnR+/AhjkfSnb0z725Qb
+w7MYRvicRNWT0wnk3njMMfXYS0rbxw7O5LlSoyCf+n6dGtHqJWCS1+lYuCjCz1vr
+hMVFbpcEhob0OAhg8YMgzQRsmeJcBm8slVEOrmmVhQQZPRBjAaQw2f6cjW/ZhzZd
+JHSiDw3yPwKBgQDLSleB2Zni3al56v3mzh4w05gzVUFHeX2RCoXx1ad1He1AhAxY
+bAakSyaLQ4nR4osxomuMhzAA8iB8araFJwMLVa03AZfjRZIolCR0uMqnrQi42syN
+EnEF7JcyorUScKyk2S0JAmxN+HCcCO7TQaPGwbNwvR4OO/6Un6jfS+nySwKBgH6n
+4bashkJwyWRPO7TKzjB03I9nLB9Hk4YugQEZysWNaGzij62vgjVLS43MQl5cAQJ+
+usHuEACfJ3UWHCWSInFhOg4twob9q/YnonBuXA9UuzITTAYhlKF5fvUyGMyV0VcW
+hpfxOtSfH9Vew+naY32XMiCovMTnmBQ+Nw5L5DiRAoGAV5/JT4z57Y+8npBCRr1m
+NJZBXjQ8rmjYBCs+jOQ48wK2mEgcgARIgVGgi9MZZ2BUFHPThGS1o4OYE+fdqD95
+bvg1XInVpNwebLP6UZa9xZ8oGd3Auxfsav1WJB+CZo2tOX5Qt+GnwiumEr3Dlf1d
+UVXDNM5A/sl1IDL3T3IEdSw=
+-----END PRIVATE KEY-----