All articles SMTP & Infrastructure

Transactional Email Infrastructure Design: Building a System That Scales

SSam wallness07 Jul 2026
Transactional Email Infrastructure Design: Building a System That Scales

What Makes Transactional Email Different

Transactional email isn't marketing. It's operational infrastructure — password resets, order confirmations, billing receipts, account alerts, two-factor authentication codes. The people receiving these messages are expecting them, often right now, and something tangible depends on delivery: a login that can't proceed, a purchase that needs confirmation, a payment that needs receipt.

That changes the design requirements entirely. A marketing email that lands in spam is a missed engagement opportunity. A transactional email that lands in spam — or doesn't arrive at all — is a support ticket, a failed login, a churn event, or worse. The infrastructure serving transactional mail needs to be reliable, fast, and fully isolated from anything that could compromise its reputation.

Stream Separation: The Most Important Decision

The most fundamental design decision in transactional email infrastructure is separating transactional and marketing mail streams completely. They should never share the same sending IP, the same domain, or the same SMTP credentials. The reason is straightforward: marketing mail generates spam complaints, and spam complaints damage the sending reputation of every message that IP and domain sends — including your password resets.

Use separate sending domains for each stream. A common convention is mail.yourdomain.com for transactional and news.yourdomain.com for marketing. Each domain gets its own SPF record, its own DKIM key, its own DMARC policy, and its own dedicated IP (or IP pool). This way a complaint spike from a marketing campaign doesn't delay your authentication emails. The guide on separating marketing and transactional mail explains exactly why the mixing problem is worse than it looks — and what inbox providers do about it.

Delivery Speed: Designing for Seconds, Not Minutes

Most transactional emails have implicit latency expectations. A user waiting for a password reset email will wait about 60 seconds before assuming something is broken. A two-factor code may expire in 30. Designing for speed means thinking through the full path from trigger to inbox:

  • Send asynchronously: Never send transactional email synchronously inside a user-facing request. Call your email API in a background task and return a response to the user immediately. Email latency should never block your application's response time.
  • Queue with durability: Use a reliable message queue — Redis, SQS, RabbitMQ, or similar — to buffer transactional sends. If your email provider is briefly unavailable, messages queue rather than being lost. This is the difference between a temporary delay and a permanently lost message.
  • Implement retry with backoff: For messages that receive a 4xx (temporary failure) response, retry with exponential backoff. A 5xx (permanent failure) should trigger an alert and suppression, not a retry loop.

Authentication and Domain Configuration

Transactional mail lives and dies by its authentication setup. SPF and DKIM must be configured specifically for your transactional sending domain — not just your root domain, but the subdomain you're actually sending from. DMARC should be at least p=quarantine, ideally p=reject, to protect the domain from spoofing.

If you're using a third-party SMTP relay for transactional sends, verify that DKIM signing is happening under your domain, not just the relay's shared domain. A shared DKIM signature from the relay provider contributes to their reputation, not yours. For teams using MailDog's SMTP relay, outbound mail is signed with your own domain's DKIM key — configuration details are in the documentation.

Reliability Through Redundancy

For systems where email is genuinely business-critical, plan for provider outages:

  • Primary and fallback providers: Configure a secondary relay that can be activated quickly if your primary has an extended outage. Automatic failover isn't always necessary — a failover that can be executed manually in 10 minutes may be sufficient for most use cases.
  • Webhook processing: Connect delivery, bounce, and complaint webhooks from your relay provider to your application. When a transactional message bounces permanently, your system should respond — updating the contact's deliverability status, triggering a follow-up flow, or alerting an operator.
  • Comprehensive logging: Log the message ID, recipient, send timestamp, and delivery status for every transactional send. When a user opens a support ticket saying "I never got my reset email," you need to be able to determine within 30 seconds whether it was sent, delivered, or bounced.

Monitoring Transactional Delivery

The metrics that matter for transactional email are different from marketing email KPIs:

  • Delivery rate: Percentage of sends accepted by the receiving server (2xx response). Below 95% warrants investigation.
  • Time to delivery: For critical message types, track median delivery time from send to inbox. Track this with seed addresses at Gmail, Yahoo, and Outlook to catch provider-specific issues.
  • Hard bounce rate: Above 2% signals a data quality issue — addresses being collected incorrectly, old data, or a validation gap.
  • Queue depth over time: A growing queue indicates rate limiting, relay issues, or unexpected volume spikes.

Set automated alerts on all four. A delivery rate that drops more than a few percentage points in 24 hours, or a queue that grows without draining, needs attention before it becomes a user-facing incident.

Scaling as Volume Grows

A transactional system that works well at 1,000 messages per day may have bottlenecks that only appear at 100,000. As volume grows, the architecture typically needs to evolve:

  • Add priority queues so authentication emails and payment receipts are delivered before low-urgency notifications like weekly summaries.
  • Add dedicated IPs for your highest-priority message types — a password reset going to the same IP that sends bulk notifications is unnecessary risk.
  • Review sending rate limits with your relay provider and request increases before you hit them — reactive capacity planning always costs more time than proactive planning.

If you're building or scaling a transactional sending program, the MailDog pricing page covers volume tiers and dedicated IP options. The support team can discuss architecture decisions for your specific message types and volume patterns.

Related articles

Transactional Email Infrastructure Design: Building for Reliability at Scale
SMTP & Infrastructure
Sam wallness

Transactional Email Infrastructure Design: Building for Reliability at Scale

Transactional email has fundamentally different infrastructure requirements from marketing campaigns — it needs to be fast, reliable, and completely isolated from anything that could drag down its deliverability. This guide covers the architecture decisions that matter: queue design, authentication, suppression lists, monitoring, and how to test before you go live.

Read article
SMTP Server Hardening: Locking Down Your Mail Transfer Agent
SMTP & Infrastructure
Sam wallness

SMTP Server Hardening: Locking Down Your Mail Transfer Agent

A misconfigured SMTP server can be exploited as an open relay, used to send spam from your domain, or damage your sending reputation in ways that take weeks to repair. This practical hardening checklist covers open relay prevention, TLS enforcement, rate limiting, authentication requirements, and the ongoing monitoring that keeps your mail server secure long-term.

Read article