Transactional email — order confirmations, password resets, 2FA codes, invoice emails, shipping notifications — operates under fundamentally different delivery requirements than marketing email. Transactional messages are expected, triggered by user actions, and time-sensitive. A delayed 2FA code that arrives 90 seconds after the user initiated authentication is functionally a failure. A password reset email that lands in spam leaves users locked out of their accounts. The infrastructure decisions that maximise transactional deliverability are not the same as those that optimise marketing campaign inbox placement.
Why Transactional Needs Separate Infrastructure
The single most important architectural decision for transactional email is infrastructure isolation. Mixing transactional and marketing email on shared IPs creates a direct risk: a marketing campaign that generates elevated complaint rates damages the same IPs that deliver your 2FA codes and password resets. Your authentication emails start going to spam precisely when users are most frustrated and need them most — during account recovery, onboarding, or checkout completion.
The risk is asymmetric: a failed transactional email costs you a customer, a support ticket, or a security incident. A delayed marketing newsletter costs you an open. The business consequence of the two failure modes is not comparable, and that asymmetry should be reflected in infrastructure design: transactional email gets dedicated IPs with the highest historical engagement (every transactional email generates an implicit positive signal — users open auth emails at 90%+ rates) while marketing email uses separate IPs where complaint rate variation is isolated.
Open Rate by Email Type — Why Transactional IPs Build Reputation Faster
SMTP vs API Delivery — Choosing the Right Method
Transactional email can be delivered via direct SMTP connection or via an HTTP API that abstracts the SMTP layer. For dedicated infrastructure, SMTP is almost always the correct choice for transactional email from internal applications — it provides lower latency, direct bounce handling, and full control over authentication and delivery parameters. API delivery makes more sense for external integrations or third-party services that need a simple webhook interface.
| Method | Latency | Control | Complexity | Best for |
|---|---|---|---|---|
| Direct SMTP (dedicated relay) | Lowest — direct connection | Full — all headers, IPs | Medium | Internal apps, high volume, SaaS |
| SMTP via ESP relay | Low | Limited — shared pool options | Low | Small volume, no dedicated infra |
| HTTP API (dedicated) | Low (webhook overhead) | Full | Low | External integrations, mobile apps |
| HTTP API (shared ESP) | Variable | Minimal | Lowest | Low volume, development testing |
Authentication Configuration for Transactional Email
Transactional email authentication must be configured for alignment — the DKIM signing domain must match the From: header domain. Most transactional email frameworks (Postfix, Sendgrid library, AWS SES SDK) sign with a default relay domain if not explicitly configured. This causes DMARC alignment failures on transactional email even when authentication is technically passing.
# Open a received transactional email in Gmail → More options → Show original
# Look for the Authentication-Results header:
Authentication-Results: mx.google.com;
dkim=pass header.i=@yourapp.com; ← Good: signing domain matches From:
spf=pass smtp.mailfrom=bounce@yourapp.com;
dmarc=pass (p=QUARANTINE) header.from=yourapp.com;
# vs. misconfigured:
Authentication-Results: mx.google.com;
dkim=pass header.i=@sendgrid.net; ← Bad: signing domain is ESP's domain
spf=pass smtp.mailfrom=bounce@sendgrid.net;
dmarc=fail header.from=yourapp.com; ← DMARC fails due to misalignment
# Fix: configure custom DKIM domain at your transactional provider
# or use a self-hosted relay that signs with your own domain key
Transactional Email Latency Monitoring
Unlike marketing email where a 30-minute delivery delay is acceptable, transactional email latency is a user experience metric. 2FA codes with 30-second validity windows must arrive in under 5 seconds. Password reset links must arrive before the user gives up and requests another one. Order confirmations should arrive before the customer wonders if their payment was processed.
▶ Transactional email latency monitoring setup
Problem: 2FA emails taking 45–90 seconds to arrive during peak hours. Support volume increased 35% from "I never got my code" tickets. Root cause: 2FA sends queued behind daily transaction summary emails on the same MTA instance. The transaction summaries sent at 08:00 UTC created a queue of 120K messages that transactional sends had to wait behind.
Solution: Dedicated Postfix instance for auth email (2FA, password reset, security alerts) on IP 203.0.113.10 with max-queue-lifetime=300 (5 minutes). Marketing and summaries on separate instance on 203.0.113.11. Priority queue parameter set so auth messages route to the high-priority queue regardless of send time.
Outcome: p95 2FA delivery latency: 4.2 seconds. "Missing code" support tickets: 94% reduction. DKIM alignment verified on both instances — transactional IP maintained Gmail domain reputation at High throughout the migration.