Documentation for managed PowerMTA + MailWizz infrastructure
Operational documentation for clients running production sending programs on Cloud Server for Email's managed infrastructure. Onboarding procedures, configuration access patterns, monitoring playbooks, incident response, and the integration patterns that connect our infrastructure to your existing CRM, analytics, and observability stack. Written for operators, not for SEO.
This documentation covers a different layer than the API provider documentation you're probably familiar with. Postmark, Mailgun, and SendGrid document REST endpoints and webhook handlers — the code-first integration surface for transactional email. We document the operational layer: how dedicated PowerMTA + MailWizz infrastructure is provisioned, configured, monitored, and recovered when something goes wrong. Both layers are necessary; they just answer different questions. If you need a quickstart for the Postmark API, you're in the wrong place. If you need to understand the 14-day path from contract signing to your first production campaign on dedicated infrastructure, this is it.
Quickstart — first 60 minutes after signing
The most common question after contract signing: "What do I do first?" The five-step quickstart below is the actual path from signing to having your environment ready for the formal onboarding sequence. None of these steps requires writing code; they require coordinating DNS access and authorizing ownership.
Confirm DNS administrative access
The most common bottleneck on day 1 is DNS. We need write access to publish SPF, DKIM, DMARC, MTA-STS, and TLS-RPT records on your sending domains. If your DNS is delegated to a third-party agency (common for marketing teams), arrange access before onboarding begins. The fastest path is delegating a subdomain (e.g., m.yourdomain.com) to NS records we manage; the alternative is publishing records you provide to your existing DNS.
Identify sending domains and IP allocation requirements
Tell us: which domains will send mail, expected monthly volume per domain, expected ISP distribution (B2B vs B2C, regional). This determines IP pool sizing, whether dedicated or shared IPs make sense, and the warmup schedule. As a rough guide: less than 50K monthly emails per domain warrants shared IPs initially; 50K-500K needs 1 dedicated IP minimum; 500K+ needs 2-4 dedicated IPs in a pool with rotation.
Authorize ISP relationships
We register your sending IPs with Microsoft SNDS, Yahoo CFL, Google Postmaster Tools, and other ISP feedback programs. This requires authorization from your domain (we can't register IPs to a domain we don't control authorization for). The standard authorization is a Microsoft account email at your domain plus DNS TXT verification — about 15 minutes of work that saves weeks of reputation visibility delays later.
Define your sending categorization
Marketing campaigns, transactional notifications, and cold prospecting have radically different operational requirements. We need to know upfront whether each domain or sub-domain will send transactional mail, marketing campaigns, or cold prospecting (or some mix). This determines IP pool isolation, throttle profiles, and which compliance constraints apply (CAN-SPAM, GDPR, CASL).
Confirm onboarding contact and incident response point
Two contacts are needed: (a) the technical onboarding lead, who will have day-to-day contact with our team during the 14-day onboarding sequence, and (b) the incident response point, who receives Severity 1 / Severity 2 alerts 24/7 if something goes wrong post-launch. These can be the same person initially, but for production sending programs they should be different roles to ensure 24/7 reachability.
Onboarding timeline — 14 days from signing to first campaign
Onboarding is structured as five hard milestones across 14 calendar days. Each milestone has a specific deliverable and a clear owner (us or you). The cadence assumes typical commercial onboarding; expedited timelines (5-7 days) are possible for clients migrating an existing program with established reputation, and longer timelines (21-30 days) are sometimes warranted for programs requiring extensive list cleanup before first send.
Account provisioned
Dedicated environment provisioned. DNS requirements communicated. Contract executed.
Authentication ready
IPs allocated. SPF, DKIM, DMARC published and propagated. ISP feedback programs registered.
Platform ready
PowerMTA + MailWizz instance configured and accessible. IP warmup schedule activated.
Monitoring connected
SNDS, GPT, FBLs all connected. DNSBL monitoring active. Reputation baseline established.
First campaign live
First production campaign sent with full monitoring stack in place. Steady-state operations begin.
The detailed checklist for each milestone is in Onboarding Process. Before the formal sequence starts, the Getting Started guide walks through the prerequisites and decisions you need to make in week 1.
Documentation sections
The documentation is organized into four operational areas: orientation, configuration, monitoring, and recovery. Each section is structured to match a specific question you'll be answering during the lifecycle of your sending program. The four guides below are the published sections; additional reference material (specific PowerMTA configuration patterns, MailWizz integration recipes, custom monitoring setups) is added quarterly based on client request volume.
Getting Started
First steps with Cloud Server for Email infrastructure. Decisions you'll make before onboarding begins: IP allocation strategy, sending domain segmentation, authentication requirements, and ESP-specific compliance considerations. The orientation guide.
Read documentation →Onboarding Process
The detailed 14-day onboarding sequence. Day-by-day milestones, ownership assignments, deliverables, and the integration checkpoints where your team coordinates with ours. Includes the IP warmup curve, the SNDS/GPT registration sequence, and the first-campaign go-live checklist.
Read documentation →Configuration Reference
Technical reference for PowerMTA and MailWizz configuration in your managed environment. Virtual MTA architecture, throttle profiles per receiver, suppression list handling, MailWizz API access patterns, and the configuration tiers (which parameters you control directly vs which require engineering involvement).
Read documentation →Incident Response
What to do when something goes wrong. Severity classification, escalation paths, expected response times by severity tier, and the runbook for the seven most common incident types: DNSBL listings, reputation collapse, sudden bounce-rate spikes, sending pipeline failures, third-party integration outages, content filter changes, and ISP-specific delivery failures.
Read documentation →MailWizz API Reference
Complete reference for the MailWizz 2.x REST API as deployed on our infrastructure. SDK setup for PHP, Python and Ruby; HTTP method semantics; every endpoint covered with working examples — lists, fields, segments, subscribers (CRUD + bulk + search + upsert), campaigns (regular + autoresponder + recurring), tracking, bounces, countries, customers and templates. Troubleshooting for the four most common production failure modes.
Read documentation →Configuration access tiers — what you control directly vs what requires engineering review
Managed infrastructure draws a line between what clients control directly and what requires engineering review. The line we draw protects clients from accidental configuration that damages reputation while preserving the agility that makes infrastructure useful. Three tiers map to typical sender profiles:
Self-service via MailWizz
- Campaign building, scheduling, and execution
- List management, segmentation, and exports
- Suppression list maintenance (manual + automated)
- Template editor and version control
- Per-campaign reporting and analytics
- API access for programmatic campaign management
- Webhook delivery for opens, clicks, bounces, complaints
- FBL events streamed to your endpoint
PMTA Manager access
- VirtualMTA configuration and throttle rules
- Per-domain routing and per-IP pool assignment
- Custom bounce-classification rules
- Direct PowerMTA accounting log access
- Custom retry and backoff policies
- IP rotation and warmup curve adjustment
- Engineering review provided for non-trivial changes
Root infrastructure access
- Root SSH access on dedicated infrastructure
- Direct PowerMTA configuration file editing
- Custom Lua/script integration in PowerMTA
- Hardware-level monitoring (Prometheus exporters)
- Log shipping to external SIEM
- Custom MailWizz extensions and plugins
- Available for clients with internal mail engineering teams
Monitoring access — what you can see in real time
Visibility is the foundation of operating any high-volume sending program. Without real-time monitoring, the gap between "something went wrong" and "I know what went wrong" can be hours — and at high volumes, hours matter. The monitoring stack provided with managed infrastructure is structured around four data layers: deliverability metrics, infrastructure telemetry, ISP-side reputation feedback, and external blocklist surveillance.
| Monitoring layer | What's exposed | Refresh cadence | Alert delivery |
|---|---|---|---|
| PowerMTA queue and throughput | Active queue depth, deferred queue, retry queue, send rate per IP | Real-time (5-second polling) | Dashboard + Slack/email on threshold |
| MailWizz campaign analytics | Sends, opens, clicks, bounces, complaints, unsubscribes per campaign | Per-event (real-time webhook) | Dashboard + API + webhook |
| DNSBL monitoring | 50+ lists checked hourly per sending IP; alert on any new listing | Hourly (configurable) | 5-minute SLA on alert delivery |
| Microsoft SNDS | IP reputation color (Green/Yellow/Red), complaint rate, spam trap hits | Daily (Microsoft delay 24-48h) | Daily report + alert on color change |
| Google Postmaster Tools | Domain reputation, IP reputation, authentication breakdown, complaint rate | Daily (Google delay 24h+) | Daily report + threshold alerts |
| Microsoft JMRP feedback loop | User-marked-junk reports streamed to suppression queue | Real-time | Webhook to your endpoint + auto-suppression |
| Yahoo Complaint Feedback Loop | User complaints from Yahoo Mail users | Real-time | Webhook to your endpoint + auto-suppression |
| Bounce categorization | Hard / soft / block / spam categorization per recipient | Per-event | API + auto-suppression for hard bounces |
Incident severity model and response SLAs
Not every incident needs the same urgency. The severity model below defines the four classification tiers and the response SLAs we maintain. Severity 1 incidents include direct phone escalation; Severity 2-4 use the standard ticketing flow.
| Severity | Definition | Examples | Response SLA |
|---|---|---|---|
| Sev 1 | Delivery completely down for your IPs/domains. Production sending blocked. | All IPs blocklisted simultaneously. PowerMTA process down. Authentication records misconfigured causing universal rejections. | 15 minutes, 24/7. Direct phone escalation provided. |
| Sev 2 | Significant placement degradation. Single ISP affected, or partial volume affected. | Spamhaus SBL listing on one IP. SNDS color collapsed to Red. Bounce rate suddenly 5x baseline. | 1 hour during business hours (Estonia, GMT+2/+3). 4 hours after hours. |
| Sev 3 | Configuration questions, optimization requests, non-blocking issues. | "How do I add a new sending domain?" "Can we tune throttle for this receiver?" "Why is this campaign showing this bounce pattern?" | 4 hours, business days. |
| Sev 4 | General inquiries, feature requests, scheduled work. | Quarterly review scheduling. New monitoring integration request. Documentation suggestions. | 1-2 business days. |
The full incident response runbook including the severity-classification decision tree, the seven most common incident playbooks, and the escalation contacts is in Incident Response.
API access — what's exposed and what isn't
Managed PowerMTA infrastructure exposes a different API surface than transactional email API providers. Understanding this difference upfront avoids integration mismatches: you can't drop in our infrastructure as a Postmark/Mailgun replacement at the API layer, because the architectural model is different. What we expose is the layer above the SMTP transaction — campaign and list management, monitoring data, and event streams.
| API surface | Available | Use case |
|---|---|---|
| MailWizz campaign API | ✓ Standard | Programmatic campaign creation, list management, statistics retrieval. Most common integration point. |
| MailWizz list / contact API | ✓ Standard | Subscribe, unsubscribe, suppression list management, segment definitions. |
| PowerMTA log shipping | ✓ Tier 2 | Stream PowerMTA accounting events to your stack (Kafka, Loki, S3). Tier 2 access. |
| Webhook events | ✓ Standard | Real-time delivery, open, click, bounce, complaint events posted to your HTTP endpoint. |
| FBL feedback streams | ✓ Standard | Microsoft JMRP, Yahoo CFL events delivered as webhooks with full ARF parsing. |
| Direct SMTP relay credentials | ✓ Standard | SMTP credentials for your application to relay through our PowerMTA infrastructure. |
| High-level "send single email" REST API | Partial | Available via MailWizz transactional API. Not optimized for the same patterns as Postmark/Mailgun (no template versioning, no built-in attachment scanning). |
| Real-time content scanning / spam scoring API | Not exposed | Available indirectly through pre-send analysis — not as a standalone API endpoint. Use Postmark's spam check or Mailgun's content analysis if this is a primary requirement. |
| Inbound email parsing / routing | Available on request | Inbound MX routing and parsing webhooks available on Tier 2. Most clients use Mailgun Routes or AWS SES inbound for this specifically. |
Common integration patterns
The four most common integration architectures we see across clients, with the trade-offs of each:
| Pattern | Use case | Integration depth | Trade-off |
|---|---|---|---|
| MailWizz dashboard only | Marketing teams running scheduled campaigns. Internal tooling not built or integrated. | Tier 1 (zero code) | Lowest friction; campaigns scheduled and managed manually. Suitable up to ~5M emails/month. |
| MailWizz API + your CRM | Triggered campaigns based on events in your CRM (HubSpot, Salesforce, internal). Lists synced bidirectionally. | API integration (low code) | Most common pattern for SaaS. Requires basic API client; minimal custom infrastructure. |
| SMTP relay + your application | Application sends individual emails via SMTP authentication. PowerMTA handles delivery. | SMTP credentials only | Mimics the Postmark/Mailgun pattern. Loses some MailWizz visibility for individual messages but works for transactional patterns. |
| Hybrid: marketing through MailWizz + transactional through SMTP | Marketing campaigns built in MailWizz dashboard; transactional events sent directly via SMTP from application. | Mixed | Most powerful; reflects Postmark's "Message Streams" separation pattern. Requires per-stream configuration. |
Where managed infrastructure fits versus API providers
The transactional email API ecosystem (Postmark, Mailgun, SendGrid, Resend, Amazon SES, Brevo) and managed PowerMTA infrastructure are complementary, not competing. Understanding when each fits saves migration cycles and operational pain. The fundamental distinction:
- API providers are optimized for code-first integration. You send messages by calling REST endpoints; they handle the underlying SMTP, IP reputation, and ISP relationships. Pricing is per-message-sent. Best for transactional volumes (less than 10M emails/month) where developer time is the constraint.
- Managed PowerMTA infrastructure is optimized for operational control at scale. You have dedicated IPs, dedicated MTA instances, and direct access to the throttling and routing layer. Pricing is by infrastructure footprint, not per message. Best for high-volume senders (more than 5M emails/month per program) where reputation isolation, custom routing, or compliance requirements drive the architecture.
The migration patterns we've seen go in both directions:
Coming from API providers
Most common: SendGrid customers hitting either pricing escalation or shared-IP reputation issues at scale. Migration typically takes 3-4 weeks: 1 week to onboard, 2 weeks to dual-send, 1 week to cut over. We provide migration assistance including suppression list import and DMARC alignment.
Coming from self-managed PMTA
Operations teams that built and ran their own PowerMTA but want to offload the operational burden. Migration is faster (1-2 weeks) because the underlying technology is identical — we lift configuration, IP allocations, and DNS into our managed environment.
Going to API providers
Sometimes a client realizes their volume has dropped to a level where API-priced sending is more economical. We support this transition without prejudice — provide configuration exports, migration guidance, and timeline coordination. Customer interest comes first.
Hybrid architecture
Many clients run both: managed infrastructure for marketing/bulk and an API provider (Postmark) for mission-critical transactional. Different reputation pools, different SLAs, different pricing models. We document this pattern in detail in the integration guide.
External references and learning resources
Documentation linking to canonical external sources rather than reproducing them. The following are the references we use ourselves and direct clients to:
- PowerMTA documentation: The official Bird (formerly SparkPost / Port25) PowerMTA documentation is the source of truth for product capabilities and configuration syntax. Available at the Bird customer portal.
- MailWizz user guides: Official documentation at mailwizz.com/kb covers UI workflows, list management, campaign creation, and the API reference.
- Spamhaus FAQs: Definitive on Spamhaus zone semantics and listing/delisting policy at spamhaus.org/faqs.
- Microsoft SNDS: Direct portal at SNDS (migrating to new URL May 2026).
- Google Postmaster Tools: Domain-level reputation at postmaster.google.com.
- M3AAWG best practices: Industry consortium publishing operational best practices at m3aawg.org.
- RFCs: Protocol specs at rfc-editor.org. The most relevant for sender operations: RFC 5321 (SMTP), RFC 7208 (SPF), RFC 6376 (DKIM), RFC 7489 (DMARC), RFC 8461 (MTA-STS), RFC 8617 (ARC).
- Our DNSBL Reference: The 12 DNSBLs that matter, response code mapping, severity tiers, and remediation playbooks at DNSBL Reference.
- Our Glossary: Curated email infrastructure terminology with operational treatment at glossary.
Frequently asked questions
How does managed PowerMTA documentation differ from API provider documentation?
API providers (Postmark, Mailgun, SendGrid) document REST endpoints, SDK installation, and webhook handlers — code-first integration. Managed PowerMTA documentation describes the operational layer: how the dedicated infrastructure is provisioned, what configuration parameters apply to your account, the monitoring access provided, and the incident response procedures when something needs a human. Both layers are necessary, but they answer different questions for different roles.
What's the typical onboarding timeline?
14 calendar days from contract signing to first production campaign, with hard milestones at days 1, 3, 7, 10, and 14. Day 1: account provisioning + DNS access requirements communicated. Day 3: dedicated IPs allocated, SPF/DKIM/DMARC records published. Day 7: PowerMTA + MailWizz instance ready, IP warmup schedule activated. Day 10: deliverability monitoring connected (SNDS, GPT, FBLs). Day 14: first scheduled production campaign with full reputation infrastructure in place.
How is configuration access provided?
Configuration access is tiered. Tier 1 (always): dashboard access to MailWizz with campaign building, list management, suppression lists, and reporting. Tier 2 (on request): direct PMTA Manager access for VirtualMTA configuration, throttle rules, and per-domain routing. Tier 3 (engineering review): root SSH access on dedicated infrastructure for clients with internal mail engineering teams. Most clients operate at Tier 1; Tier 2 is the most common upgrade.
What monitoring access do you provide?
Real-time PowerMTA queue and throughput dashboards, hourly DNSBL checks across 50+ lists with 5-minute alerting, MailWizz campaign analytics, daily reputation reports from SNDS and Google Postmaster Tools (when registered to your domain), and weekly deliverability reviews summarizing inbox placement trends. Custom monitoring (log shipping to your SIEM, Prometheus/Grafana endpoints) is available at Tier 2.
What's the incident response SLA?
Severity 1 (delivery completely down for your IPs): response within 15 minutes, 24/7. Severity 2 (significant placement degradation, single ISP affected): response within 1 hour during business hours (Estonia time, GMT+2/+3). Severity 3 (configuration questions, optimization requests): response within 4 hours, business days. Severity 4 (general inquiries, feature requests): 1-2 business day response. Severity 1 incidents include direct phone escalation paths.
Do you provide API access?
Yes, but it's a different layer than Postmark/Mailgun-style APIs. We expose the MailWizz API for programmatic campaign management (list operations, campaign creation, statistics retrieval), the PowerMTA log access for shipping events to your stack, and webhook delivery for FBL events and bounces. We do not expose a high-level REST API for individual email sending — that pattern is better served by Postmark or Mailgun than by managed PowerMTA. Customers typically integrate at the MailWizz API level.
How is documentation kept current?
Documentation is reviewed quarterly against current vendor docs (PowerMTA release notes, MailWizz changelogs), and updated immediately for any breaking change in our infrastructure. The "Last updated" timestamp on each guide is authoritative — guides older than 6 months without revision are flagged in our review queue. Critical changes (new authentication requirements from Gmail/Yahoo, breaking SNDS migrations) trigger same-day documentation updates and customer notifications.
Can I export my data and configuration?
Yes, at any time. Lists, suppressions, and campaign history are exportable from MailWizz in standard CSV/SQL formats. PowerMTA configurations (config files, virtual MTA definitions) are provided on request. There is no vendor lock-in mechanism — the infrastructure is built on standard PowerMTA + MailWizz, so migration to self-hosted or to another managed provider is straightforward technically. We will support export and migration assistance for any client leaving the platform without prejudice.
What if our team has internal PowerMTA expertise?
Tier 3 access (root SSH) is designed for exactly this case. Internal mail engineering teams get direct visibility into PowerMTA configuration files, accounting logs, and the ability to make changes within the boundaries of our shared operational responsibilities. Engineering review is required for changes that affect IP reputation or shared infrastructure, but day-to-day configuration is yours to control.
How do you handle DNS for sending domains?
Two patterns: (1) you delegate a subdomain (typically m.yourdomain.com) to NS records we manage — fastest, cleanest separation between your application DNS and sending DNS; (2) you publish records we provide on your existing DNS — slower (depends on your team's DNS update cadence) but keeps DNS authority entirely with you. The delegation pattern is recommended for clients with multiple sending domains or who want to isolate marketing DNS from corporate DNS.
Ready to start onboarding?
Begin with the Getting Started guide for orientation, then schedule your kickoff call. We'll walk through the 14-day onboarding sequence and confirm the prerequisites for your specific sending program.