You are required to process data in such a way as to keep it safe, not collect data you don't need,* don't keep it for longer than you need** and don't subsequently process it in some other way (e.g. being daft enough to spam your customers) for which you don't have the data subject's explicit informed consent.
It's up to you to work out how best to achieve that. Presumably you're primarily concerned with the safe-keeping aspect. You need to assure yourself that your email provider has adequate safeguards in that respect. Can you do that, to your own satisfaction with your existing provider? Does you contract with your existing provider indemnify you for any fines you might experience under GDPR for any shortcomings on their side? (It's not the only way to reassure you but if they're prepared to sign up to that it indicates that they believe their systems are good enough or at least they have good insurance). Note that you'd have to assure yourself in the same way in respect of an EU provider but you might feel that the different legal frameworks make that assurance easier.
But the bottom line is that GDPR determines your responsibilities in processing personal data of EU residents. How you fulfil those responsibilities is up to you and your skill and judgement. In that respect it's no different to any other aspect of your business, say taking customers' money in advance of providing goods and services, if that's what you do, are taking delivery from your suppliers before paying them. In each of those cases you, like any other business, have a responsibility not to defraud your customers but how you manage your financial affairs is up to you. Processing customer data within GDPR is going to be just another aspect of being in business.
* The need is in terms of providing the goods or service which the data was collected, not what your customer pestering department thinks they need.