Transactional email — order confirmations, password resets, 2FA codes, invoice emails, shipping notifications — operates under fundamentally different delivery requirements than marketing email. Transactional messages are expected, triggered by user actions, and time-sensitive. A delayed 2FA code that arrives 90 seconds after the user initiated authentication is functionally a failure. A password reset email that lands in spam leaves users locked out of their accounts. The infrastructure decisions that maximise transactional deliverability are not the same as those that optimise marketing campaign inbox placement.

< 5s
Target: 2FA and auth emails must arrive within 5 seconds
Dedicated IPs
Transactional must never share IPs with marketing sends
99.9%
Target inbox placement for transactional — spam folder = failure
Highest priority
Transactional queue always ahead of marketing in MTA priority

Why Transactional Needs Separate Infrastructure

The single most important architectural decision for transactional email is infrastructure isolation. Mixing transactional and marketing email on shared IPs creates a direct risk: a marketing campaign that generates elevated complaint rates damages the same IPs that deliver your 2FA codes and password resets. Your authentication emails start going to spam precisely when users are most frustrated and need them most — during account recovery, onboarding, or checkout completion.

The risk is asymmetric: a failed transactional email costs you a customer, a support ticket, or a security incident. A delayed marketing newsletter costs you an open. The business consequence of the two failure modes is not comparable, and that asymmetry should be reflected in infrastructure design: transactional email gets dedicated IPs with the highest historical engagement (every transactional email generates an implicit positive signal — users open auth emails at 90%+ rates) while marketing email uses separate IPs where complaint rate variation is isolated.

Open Rate by Email Type — Why Transactional IPs Build Reputation Faster

90% 70% 50% 30% 92% 2FA/Auth 85% Order confirm 64% Shipping notify 28% Newsletter 18% Promo email

SMTP vs API Delivery — Choosing the Right Method

Transactional email can be delivered via direct SMTP connection or via an HTTP API that abstracts the SMTP layer. For dedicated infrastructure, SMTP is almost always the correct choice for transactional email from internal applications — it provides lower latency, direct bounce handling, and full control over authentication and delivery parameters. API delivery makes more sense for external integrations or third-party services that need a simple webhook interface.

MethodLatencyControlComplexityBest for
Direct SMTP (dedicated relay)Lowest — direct connectionFull — all headers, IPsMediumInternal apps, high volume, SaaS
SMTP via ESP relayLowLimited — shared pool optionsLowSmall volume, no dedicated infra
HTTP API (dedicated)Low (webhook overhead)FullLowExternal integrations, mobile apps
HTTP API (shared ESP)VariableMinimalLowestLow volume, development testing

Authentication Configuration for Transactional Email

Transactional email authentication must be configured for alignment — the DKIM signing domain must match the From: header domain. Most transactional email frameworks (Postfix, Sendgrid library, AWS SES SDK) sign with a default relay domain if not explicitly configured. This causes DMARC alignment failures on transactional email even when authentication is technically passing.

Checking transactional email authentication — Gmail header inspection
# Open a received transactional email in Gmail → More options → Show original
# Look for the Authentication-Results header:

Authentication-Results: mx.google.com;
       dkim=pass header.i=@yourapp.com;      ← Good: signing domain matches From:
       spf=pass smtp.mailfrom=bounce@yourapp.com;
       dmarc=pass (p=QUARANTINE) header.from=yourapp.com;

# vs. misconfigured:
Authentication-Results: mx.google.com;
       dkim=pass header.i=@sendgrid.net;     ← Bad: signing domain is ESP's domain
       spf=pass smtp.mailfrom=bounce@sendgrid.net;
       dmarc=fail header.from=yourapp.com;   ← DMARC fails due to misalignment

# Fix: configure custom DKIM domain at your transactional provider
# or use a self-hosted relay that signs with your own domain key

Transactional Email Latency Monitoring

Unlike marketing email where a 30-minute delivery delay is acceptable, transactional email latency is a user experience metric. 2FA codes with 30-second validity windows must arrive in under 5 seconds. Password reset links must arrive before the user gives up and requests another one. Order confirmations should arrive before the customer wonders if their payment was processed.

▶ Transactional email latency monitoring setup
1
Instrument your send code with timestamps — Log the timestamp when your application calls the send API or SMTP connection. Log a second timestamp when you receive the delivery webhook or SMTP 250 OK response. The difference is your end-to-end latency.
2
Set up a synthetic monitoring job — Send a test transactional email to a seed address every 5 minutes. Measure time from send to receipt at the seed mailbox. Alert if p95 latency exceeds your SLA threshold (typically 30 seconds for auth email).
3
Monitor MTA queue depth separately for transactional — If transactional email shares an MTA with marketing sends, a large marketing queue can delay transactional delivery. Use separate queues or separate MTA instances to prevent marketing queue depth from affecting transactional latency.
4
Alert on spam folder placement via seed testing — Check inbox placement on transactional seed addresses daily. Any transactional email landing in spam is a priority incident regardless of the delivery rate metric — 100% delivery to spam is still 0% useful delivery.
📋 Client case — FinTech app, 850K monthly transactional sends

Problem: 2FA emails taking 45–90 seconds to arrive during peak hours. Support volume increased 35% from "I never got my code" tickets. Root cause: 2FA sends queued behind daily transaction summary emails on the same MTA instance. The transaction summaries sent at 08:00 UTC created a queue of 120K messages that transactional sends had to wait behind.
Solution: Dedicated Postfix instance for auth email (2FA, password reset, security alerts) on IP 203.0.113.10 with max-queue-lifetime=300 (5 minutes). Marketing and summaries on separate instance on 203.0.113.11. Priority queue parameter set so auth messages route to the high-priority queue regardless of send time.
Outcome: p95 2FA delivery latency: 4.2 seconds. "Missing code" support tickets: 94% reduction. DKIM alignment verified on both instances — transactional IP maintained Gmail domain reputation at High throughout the migration.