How a Swedish gaming platform with 12 million users across 190 countries rebuilt its email architecture around security-first priority tiers — cutting 2FA delivery time from 4.2 seconds to 0.8 and reducing account compromise events by 44%.
A Swedish gaming platform headquartered in Stockholm serves 12 million active users across 190 countries, with the largest player concentrations in the Nordics, Western Europe, Southeast Asia, and Latin America. Email is operational infrastructure for the business: two-factor authentication codes, password resets, purchase confirmations, refund notifications, and — at a separate cadence — promotional announcements for in-game events and seasonal content. In late 2023, the security engineering team surfaced a correlation that reframed how the company thought about its email infrastructure.
Internal security analytics showed that 31% of account compromise events in the preceding six months had been preceded by a failed 2FA code delivery. The pattern was consistent: a player attempts to log in, 2FA is triggered, the code email does not arrive within the 90-second window the authenticator expects, the player either requests repeated codes (fragmenting the delivery pattern further) or falls back to recovery options — SMS-based recovery, email support tickets, or in some cases third-party account-recovery tools whose security properties the platform could not verify. Once the session state was disrupted, attackers with partial credential knowledge were succeeding at a rate the security team considered unacceptable.
Presenting Problems
- 2FA email delivery rate globally at 78%, with average delivery latency of 4.2 seconds — above the 2-second threshold where player behaviour starts to shift toward workarounds
- 31% of account compromise events preceded by failed or delayed 2FA delivery — a direct security-to-email causation
- Southeast Asian delivery rate at 58%, Latin American at 61% — regional ISPs with aggressive filtering treating the platform's gaming-associated content as suspicious
- Single sending stream mixing security-critical (2FA, password reset), transactional (purchase confirmations), and promotional (in-game event announcements) with complaint rates of 0.18% on promotional dragging down reputation for security
- No retry logic differentiation between message types — a deferred 2FA code retried at the same cadence as a promotional newsletter
- No regional infrastructure — all traffic routed through a single European datacenter regardless of recipient geography
The security correlation made the engagement urgent in a way that most email-infrastructure engagements are not. A 2FA failure is not a deliverability inconvenience; it is an active security event in progress. The first intervention was not full migration — it was routing 2FA and password-reset traffic onto clean, low-contention infrastructure while the full priority-tiered architecture was built around it.
-
Day 1–3: Security stream emergency isolation
Provisioned 2 dedicated IPs in Frankfurt and configured a dedicated PowerMTA VMTA for security-only traffic — 2FA codes, password resets, account-recovery emails. Authentication baseline configured with enforced TLS, 2048-bit DKIM, and DMARC at p=none with aggregate reports routed to the security team's incident-response address. Within 72 hours, global 2FA delivery rate climbed from 78% to 91% on the new infrastructure, and average latency dropped from 4.2 seconds to 1.4 seconds.
-
Weeks 2–3: Regional infrastructure for SEA and LATAM
Added 2 dedicated IPs in Singapore (serving Southeast Asia) and 2 in São Paulo (serving Latin America) for security-tier traffic. Regional infrastructure reduces network-level latency by routing messages to ISPs geographically closer to recipients, and — more importantly — establishes sender reputation within regional routing paths that receiving ISPs in those regions weight favourably.
-
Weeks 4–5: Purchase confirmation stream migration
Purchase confirmations and refund notifications — Tier 2 in the new architecture — migrated to a separate pair of dedicated IPs in Frankfurt. This stream requires high reliability but not the sub-second latency of security email. Keeping it on a distinct IP set from security meant that a large purchase-confirmation batch (which can spike to 40,000 messages per minute during a major in-game sale) would not compete for sending capacity with 2FA codes that need to go out immediately.
-
Weeks 6–7: Promotional stream and old infrastructure retirement
Promotional sending — in-game event announcements, seasonal content alerts — migrated to a separate sending domain (
news.gaming-platform.com) on 2 dedicated IPs. This was the final cutover. The old shared infrastructure was drained by Week 7, and the subdomain architecture became the permanent sending topology.
Technical Assessment: Infrastructure Layers Examined
The pre-migration audit focused on three layers where gaming-platform email differs meaningfully from other high-volume senders: latency sensitivity of security traffic, regional delivery pattern variance, and the complaint-rate asymmetry between security and promotional streams.
Latency Analysis Across Message Types
Delivery latency is not a metric that matters equally across message types. A 30-second latency on a promotional announcement is invisible to the recipient; a 30-second latency on a 2FA code produces a retry request and a fragmented authentication session. The pre-migration measurement showed that security-tier messages had a median delivery time of 4.2 seconds globally, with the 95th percentile at 12 seconds — meaning one in 20 2FA codes arrived after the authenticator's default 90-second window had closed. The root cause was SMTP-level queue contention: during promotional bursts, 2FA codes sat in the same PowerMTA queue as bulk marketing, prioritized only by FIFO ordering.
The post-migration architecture gave security traffic its own VMTA, its own queue, and its own retry logic. Queue depth for security traffic is monitored continuously and alerts trigger if queue depth exceeds 50 messages — an indication of unusual conditions rather than a normal operating state. Median delivery latency on the new infrastructure is 0.8 seconds globally, with the 95th percentile at 2.1 seconds. No 2FA code has missed the 90-second authenticator window since Week 3 of deployment.
Regional Delivery Pattern Variance
The Southeast Asian and Latin American delivery rates had been dismissed internally as "regional ISP behaviour" — a framing that accepted the low rates as immutable. The audit surfaced that the real cause was more specific. Southeast Asian ISPs (including the major telcos in Indonesia, Thailand, and Vietnam) routinely apply stricter filtering to email from European IP blocks sending to their consumer domains, because those routes are heavily abused by regional spam operations. Latin American ISPs behave similarly for traffic from European and North American origins.
Moving security-tier email to Singapore-origin and São Paulo-origin IPs — even though the sending domain remained the same — produced a material shift in ISP behaviour. The IPs had regional routing trust that European-origin IPs did not. Southeast Asian delivery rates climbed from 58% to 93% within six weeks of the regional IPs going live; Latin American rates climbed from 61% to 91% in the same timeframe.
Complaint-Rate Cross-Contamination
The 0.18% complaint rate on promotional traffic was not categorically problematic — it is within normal bounds for an engaged gaming audience opting into event notifications. What was problematic was its presence on the same IPs as security-tier traffic. ISPs aggregate reputation signals at the IP level; a 0.18% complaint rate from promotional content was indistinguishable, at the receiving MTA, from a 0.18% complaint rate on transactional content. The security stream was being penalized for behaviour that was legitimate in its own context. Isolating the streams onto distinct IPs eliminated the cross-contamination at the source.
Infrastructure Rebuild: Configuration Decisions
Dedicated VMTAs per priority tier. The three streams run on separate PowerMTA virtual MTAs with different retry policies. Security traffic retries aggressively: if a recipient MTA returns a 421 deferral on a 2FA code, PowerMTA retries every 15 seconds for the first 2 minutes, then backs off. Promotional traffic retries on the standard schedule (15 minutes, 1 hour, 4 hours). The retry-policy differentiation is critical: 2FA codes that miss the authenticator window are functionally lost, so aggressive short-term retry is correct even though it produces higher connection-count load at the receiving ISP.
Subdomain split for promotional content. Promotional email sends from news.gaming-platform.com, a separate subdomain from gaming-platform.com (which handles security and transactional). A player who marks a promotional announcement as spam is affecting the reputation of news.gaming-platform.com, not the domain that delivers their next 2FA code. This is the most direct protection against the cross-contamination pattern that initiated the engagement.
FBL processing with 15-minute suppression latency. Complaint feedback loops are processed by a dedicated worker that adds the complainant to the suppression registry within 15 minutes. For a gaming audience where players may submit FBL complaints reactively (frustrated by a specific promotional email) without actually wanting to unsubscribe from all communications, the fast suppression prevents compounding complaint damage while a separate workflow allows the player to opt back into specific streams through account settings.
Operational Monitoring: What Changed Permanently
Real-time security-tier queue monitoring. The security team has direct access to PowerMTA queue-depth and delivery-latency metrics for the security VMTA. Queue depth above 50 messages triggers a PagerDuty alert to the on-call security engineer, regardless of time of day. In the first 90 days post-deployment, the alert fired twice: once during a failed deployment at a peering ISP (resolved within 14 minutes), once during a distributed login-attempt event that produced a 2FA spike (rate-limiting was added to the player-facing authentication UI within 48 hours to prevent recurrence).
Quarterly regional delivery rate review. Regional delivery rates are reviewed quarterly by the deliverability operations team, not just aggregate global rates. This is the monitoring cadence that surfaced the original SEA/LATAM issue; maintaining it ensures that any future drift — a specific ISP changing filtering policy, a new peering arrangement degrading a route — is detected within a reasonable operational window rather than being discovered by security analytics after players have already been affected.
Separation of metrics by VMTA. Postmaster Tools and SNDS data are reviewed per VMTA, not aggregated. Security-VMTA reputation must remain in the "High" category at Gmail and "Green" at Microsoft SNDS at all times. Promotional-VMTA reputation fluctuations are tolerated within a wider band — promotional content inherently triggers some engagement variance. Treating these two streams as having different reputation requirements changed how the operations team reports metrics upward: the security team sees security metrics; the marketing team sees promotional metrics; neither team's performance is confounded by the other's.
(from 78%)
(from 4.2s)
(6-month measurement)
(from 58% / 61%)
"We had a security problem disguised as an email problem. When 2FA codes don't arrive within the authenticator window, players use workarounds that expose their accounts. The infrastructure change showed up directly in our security metrics — 44% fewer account compromise events in the six months after deployment. This was the rare engagement where the deliverability improvement mapped one-to-one to a business-critical risk reduction."
— Head of Security Engineering, Gaming PlatformThe technical changes in this engagement were straightforward. The more significant work was establishing the monitoring discipline that prevents the gradual drift that caused the original problems — an infrastructure that meets today's ISP requirements but has no ongoing review process will fall behind those requirements within 12-18 months.
— Cloud Server for Email Infrastructure TeamGaming platforms and any consumer service with time-sensitive authentication email share a property that is rare in other industries: a failed or delayed security email is not a delivery inconvenience, it is an active security vulnerability. This shifts the acceptable latency threshold from "fast enough that engagement does not decay" to "fast enough that the authenticator window does not close" — an order of magnitude stricter. Infrastructure decisions that would be overengineering for marketing email — dedicated VMTAs, aggressive retry logic, regional IP origin — become baseline requirements.
The regional infrastructure finding generalizes beyond gaming: any platform serving Southeast Asian or Latin American consumer audiences at meaningful scale should expect materially better delivery from region-origin IPs than from European or North American ones. This is not reputation-dependent; it is a routing-level trust pattern in receiving-ISP filtering logic that responds to IP geography more than to sender identity. For consumer-facing services where regional delivery rates matter, the cost of regional infrastructure is recovered in the first missed-authentication event it prevents.