- March 2023
- Engineering Memo · External Release
Transactional email is not like marketing email. When a customer clicks "reset my password" or completes a payment that triggers a receipt, they are waiting for the email. The expected delivery window is measured in seconds, not hours. A transactional message that takes 4 minutes to deliver instead of 10 seconds has produced a poor user experience — the customer has likely abandoned the flow, called support, or concluded the product is broken. A transactional message that lands in the spam folder is effectively not delivered at all; most users never check spam for expected system messages.
This note documents why transactional email requires dedicated infrastructure separate from promotional email, how to configure that infrastructure for the specific latency and deliverability requirements of transactional traffic, and the monitoring practices that ensure reliability at the level transactional email demands.
Why Transactional Email Cannot Share Infrastructure with Promotional
The fundamental problem with sharing sending infrastructure between transactional and promotional email is reputation contamination. Promotional campaigns generate complaint rates, bounce rates, and engagement patterns that differ dramatically from transactional email — and the ISP's reputation model applies the aggregate signals from both traffic types to the shared IP and domain. A promotional campaign that generates 0.08% complaint rate in a shared pool contaminates the pool's reputation in a way that affects the transactional message delivered 30 minutes later from the same IP.
Transactional email has naturally excellent reputation signals: recipients actively want the message (they triggered it), open and click rates are very high (password reset links are clicked by nearly everyone who receives them), and complaint rates are nearly zero (users don't mark expected system messages as spam). These excellent signals, if attributed to a dedicated transactional IP pool, build High domain reputation that provides generous ISP rate limits and strong inbox placement for all transactional sends. Mixed with promotional traffic's weaker signals, the transactional reputation advantage is diluted.
The contamination also operates in the reverse direction: when a transactional email is delayed because the shared pool is rate-limited from a promotional campaign's complaint rate spike, the transactional message latency degrades. A promotional campaign that pushes Yahoo's rate limits doesn't just delay more promotional messages — it delays any transactional messages to Yahoo that are queued behind the throttled promotional traffic. Users waiting for 2FA codes or purchase confirmations experience the latency from a campaign they were not even involved with.
Figure 1 — Correct Transactional Email Isolation Architecture
Separate virtual MTAs, separate IP pools, separate domains (or subdomains) for transactional and promotional ensure no reputation contamination in either direction.
The Latency Requirements: What "Fast" Means for Transactional Email
Transactional email latency requirements vary by message type. Understanding the specific latency requirements of each transactional type informs the infrastructure configuration priorities:
One-time passwords (OTP) and 2FA codes: The most latency-sensitive transactional email category. OTP codes typically expire in 5–10 minutes. If the email takes 3 minutes to deliver, the user has only 2–7 minutes remaining to enter the code before it expires and they must request a new one. The round-trip of requesting, receiving, and entering the code must complete within the OTP validity window. Target delivery time: under 30 seconds from injection to ISP acceptance. This requires a queue-free path from injection to delivery — the transactional pool must never have a backlog that delays OTP sends.
Password reset emails: The user is waiting with an expired session, unable to proceed until the reset link arrives. Every minute of delivery delay is a minute of user frustration and abandonment risk. Target delivery time: under 60 seconds. The business cost of 4-minute delivery is measurable in support ticket volume — password reset abandonment rates are significantly higher for programmes with slow transactional delivery.
Payment confirmations and order receipts: Less time-sensitive than OTP or password reset, but users expect confirmation within minutes of completing a transaction. Target delivery time: under 3 minutes. Delivery beyond 5 minutes triggers user anxiety about whether the transaction succeeded. Delivery beyond 10 minutes generates support contacts.
Account notifications and alerts: Variable latency tolerance. A weekly summary notification can tolerate hours of latency; a fraud alert or security breach notification has near-OTP urgency. Categorise alert types and apply latency requirements accordingly — not all account notifications have the same urgency profile.
PowerMTA Configuration for Transactional Latency
The PowerMTA configuration for transactional pools prioritises throughput and immediate delivery over the complex retry and throttle management appropriate for promotional traffic. Key configuration differences:
# Transactional virtual MTA — priority configuration
<virtual-mta vmta-transactional>
smtp-source-host 203.0.113.1 mail.yourdomain.com
max-smtp-out 30 # More simultaneous connections for low-volume, high-priority
smtp-pattern-list transact-patterns
queue-life 2h # OTP messages older than 2h are useless — don't retry forever
retry-after 30s # Fast initial retry for temporary failures
max-msg-per-connection 1 # One message per connection — no pipelining delays
always-inline-images no
</virtual-mta>
# Transactional domain block for Gmail — prioritise acceptance speed
<domain gmail.com>
use-virtual-mta vmta-transactional
max-smtp-out 20 # Maintain persistent connections
max-msg-per-connection 1
retry-after 30s 1m 2m # Quick retries for transactional
max-failures-before-backoff 2
</domain>
The queue-life parameter deserves specific attention. For OTP and 2FA messages, a queue-life of 30–60 minutes is appropriate — an OTP code that has been queued for 1 hour is almost certainly expired and should not be delivered. Delivering an expired OTP causes user confusion (they enter it, get an "expired code" error, and must request a new one) rather than helping. Setting queue-life to match the OTP validity window means expired messages are dropped from the queue before delivery rather than delivered uselessly after the expiry window.
The max-msg-per-connection setting of 1 for transactional pools prevents pipelining — sending multiple messages in a single SMTP session — which would delay the second and subsequent messages in the session queue. For promotional bulk sending, pipelining improves throughput efficiency. For transactional sending, where each message may be destined for a different recipient who is actively waiting for it, pipelining adds latency that the throughput efficiency doesn't justify.
Domain Strategy for Transactional Email
Transactional and promotional email should send from different domains or subdomains where possible, to enable complete reputation isolation at the domain level as well as the IP level. The standard approach: use the primary domain for transactional email (noreply@yourdomain.com) and a dedicated marketing subdomain for promotional email (hello@mail.yourdomain.com or campaigns@email.yourdomain.com).
This domain separation ensures that Gmail Postmaster Tools domain reputation for the primary domain reflects only transactional sending signals — which are naturally excellent (high engagement, near-zero complaint rates). The promotional subdomain accumulates the reputation appropriate to promotional traffic, which is typically lower than transactional but independently managed. A promotional campaign that generates an elevated complaint rate affects mail.yourdomain.com's reputation without any effect on yourdomain.com's reputation.
The SPF and DKIM configuration must cover both sending domains separately. The primary domain's SPF and DKIM cover the transactional MTA; the marketing subdomain's SPF and DKIM cover the promotional MTA. DMARC records should be published at both the primary domain and the marketing subdomain (or the parent domain if using subdomain inheritance). The separation adds DNS management overhead but provides the clean domain-level reputation isolation that justifies the additional configuration.
Table 1 — Transactional vs promotional infrastructure: key configuration differences
| Parameter | Transactional pool | Promotional pool | Reason for difference |
|---|---|---|---|
| queue-life | 30 min – 2 hours | 2 – 5 days | Expired OTP is useless; promotional can retry for days |
| retry-after (initial) | 30s – 1 min | 5 – 15 min | Transactional must retry fast; promotional can wait |
| max-msg-per-connection | 1 (no pipelining) | 20 – 50 (pipelining enabled) | Pipelining adds latency; throughput > latency for bulk |
| IP count | 1 – 3 IPs | 3 – 10+ IPs | Transactional volume is low; throughput need is burst-limited |
| monitoring priority | P1 — latency + delivery alerts | Standard — delivery rate + reputation | Any transactional failure is user-visible; promotional delays are not |
Monitoring Transactional Delivery: Alert Thresholds
Transactional email monitoring requires different alert thresholds than promotional email monitoring. A promotional campaign delivery rate of 96% warrants investigation but not emergency response. A transactional message delivery rate of 96% means 4% of password reset requests, OTP codes, or payment confirmations are failing to reach users — which is an immediate user experience and support incident.
The transactional monitoring stack: queue depth alert when any transactional queue exceeds 100 messages (for most programmes, the transactional queue should be near-zero between send events — a growing queue indicates a delivery problem); delivery latency alert when the 90th-percentile delivery time for OTP messages exceeds 45 seconds; delivery rate alert when the per-campaign delivery rate drops below 99% for any transactional message type; DNSBL alert that triggers within 15 minutes of any transactional IP appearing on any major blacklist.
The DNSBL alert for transactional IPs is particularly important. A blacklisting on a promotional IP reduces delivery rates for campaigns and is a significant incident. A blacklisting on the transactional IP stops OTP delivery for users who are actively trying to log in — which is an immediate product outage from the user's perspective. Transactional IP DNSBL monitoring must be real-time (15-minute check intervals or less), and the response protocol must include immediate pause of transactional sends followed by emergency delisting procedures, with a failover IP ready to activate if delisting cannot be completed within the SLA.
Failover Architecture for Transactional Reliability
High-stakes transactional email requires failover capability that promotional email can often defer. A promotional campaign can be rescheduled if the primary MTA is unavailable for an hour; an OTP request that fails cannot be rescheduled — the user is waiting now. Transactional infrastructure should be designed for Active-Passive failover with automatic promotion of the secondary within 60 seconds of primary failure detection.
The sending application should be configured with two SMTP injection endpoints: primary (transactional MTA on production infrastructure) and secondary (failover MTA on separate infrastructure, or the promotional pool configured to accept transactional traffic at elevated priority during primary failure). The application switches to secondary automatically if the primary SMTP endpoint does not respond within the configured timeout (5–10 seconds for transactional tolerance).
The secondary MTA may have lower reputation and less generous ISP rate limits than the primary transactional pool — it is a failover, not a permanent replacement. But during a primary failure event, delivering OTP codes through a secondary IP with slightly lower throughput is significantly better than not delivering them at all. The failover acceptance criteria: any secondary infrastructure that can achieve 95%+ delivery rate with under 60-second latency during the failover window is acceptable for transactional emergency traffic. The objective during failover is reliability, not optimal performance.
Quarterly failover testing — routing 100 transactional messages through the secondary infrastructure and verifying delivery rate and latency — validates that the failover path is operational and that its configuration has not drifted from the acceptable state. A failover infrastructure that has not been tested in 6 months should be treated as unverified and tested before any major product event that would make transactional email reliability critical (a product launch, a high-volume promotional push that risks primary pool saturation, or a period of known infrastructure maintenance).
The SLA Conversation: What Transactional Delivery Guarantees Are Realistic
Product and engineering teams often want specific delivery SLAs for transactional email: "99.9% of OTP codes delivered within 30 seconds." These SLAs are reasonable in concept but require careful definition of the measurement methodology and the variables that are and are not within the infrastructure operator's control.
Within the infrastructure operator's control: the time between message injection into the MTA and the MTA's first SMTP delivery attempt (should be under 2 seconds for properly configured transactional infrastructure); the retry interval when a temporary failure is received (30 seconds initial retry, as configured above); the queue-life setting that prevents stale OTP delivery.
Outside the infrastructure operator's control: the ISP's SMTP processing time after accepting the message (typically seconds, but can be longer during ISP-side events); the recipient's email client's fetch interval (mobile email clients on push-enabled setups receive messages within seconds; desktop clients on a 15-minute fetch schedule may not display the message for up to 15 minutes after delivery); and ISP-side greylisting events that defer the initial delivery attempt (greylisting produces a 4XX temporary failure that the MTA retries, adding latency beyond the first attempt).
A realistic transactional email delivery SLA from the infrastructure side: 99.5% of messages will be accepted by the ISP within 60 seconds of injection, under normal operating conditions (no blacklistings, no ISP-side events, no greylisting on first attempt). For OTP messages, this 60-second ISP acceptance time is the critical metric — what happens after ISP acceptance is outside the infrastructure's control. Engineering teams setting OTP validity windows should account for the full end-to-end latency including client fetch time — a 10-minute OTP validity window accommodates even the worst-case 15-minute desktop fetch interval, while a 3-minute window creates the expectation of near-instant delivery that infrastructure cannot guarantee for all recipient configurations.
Volume Patterns and Transactional Pool Sizing
Transactional email volume has a fundamentally different pattern from promotional volume. Promotional volume is batch-injected at campaign launch — large volumes injected in a short window, then nothing until the next campaign. Transactional volume is event-driven — individual messages triggered by individual user actions, distributed throughout the day with spikes at peak usage times (login surges, end-of-day purchase spikes, mobile app peak hours).
The transactional pool IP count requirement is typically lower than promotional because the volume is lower — 10,000 OTP codes per day is modest for most applications, well within the throughput capacity of 1–2 dedicated IPs. But the latency requirement is stricter than promotional, because each individual message must be delivered within seconds rather than campaigns completing within hours.
The pool sizing calculation for transactional: identify the peak burst rate (the maximum number of transactional messages expected in any 60-second window). This is the worst-case scenario — a product launch, a major authentication event, or a Black Friday checkout surge. The transactional pool must be able to process this peak burst rate with under 30-second queue wait time per message. At Gmail's acceptance rate of approximately 5 messages per second per established IP, a peak burst of 150 transactional messages per minute requires at least 1 well-established IP with comfortable headroom for ISP-side rate limiting. A peak burst of 1,000 messages per minute requires 3–4 established transactional IPs.
Plan pool sizing for the peak burst, not the average volume. A transactional pool that handles 5,000 messages per day comfortably may experience a 600-message burst in a single minute during a peak event — and the queue that builds during that burst must clear within 60 seconds for the last OTP code in the burst to be delivered within SLA. Under-sized pools during burst events produce exactly the latency failures that transactional email infrastructure is specifically designed to prevent.
Reputation Advantages of Pure Transactional Pools
A dedicated transactional IP pool that carries only OTP, receipt, and reset traffic develops a unique reputation profile at ISPs that is measurably better than any mixed-traffic pool can achieve. The engagement signals from transactional traffic are exceptionally positive — nearly 100% of recipients open password reset emails (they are waiting for them), OTP messages have click rates that approach 100% (the OTP link is the only reason for opening the message), and complaint rates are near-zero (users don't mark expected system messages as spam).
These signals, accumulated over months and years on a dedicated transactional IP, produce the highest possible ISP reputation tier for that IP. Gmail treats the transactional IP as a trusted sender based on the consistent positive engagement history. The practical consequence: Gmail's accepting rate for this IP may be more generous than for promotional IPs, ISP-side greylisting (common for new or lower-reputation IPs) becomes less frequent, and inbox placement for transactional messages approaches 100% — as it should, because transactional emails are never spam.
This reputation advantage is destroyed if promotional traffic is mixed into the transactional pool — even occasionally, even with low complaint rates. Promotional traffic introduces complaint signals, lower engagement signals, and bounce signals that gradually erode the pure transactional reputation profile. The operational discipline of never mixing traffic types — enforced at the application injection layer, not just at the MTA configuration layer — is the practice that maintains the transactional pool's reputation advantage indefinitely.
Transactional email infrastructure is not a scaled-down version of promotional infrastructure — it is a specifically configured, separately isolated, continuously monitored infrastructure with requirements that differ fundamentally from promotional at every layer: latency requirements measured in seconds rather than hours, queue-life settings that expire useless messages, per-connection pipelining disabled, failover capability with automatic promotion, DNSBL monitoring with 15-minute check intervals, and a pool reputation built entirely from positive transactional engagement signals. The investment in this separate infrastructure pays continuous returns in OTP delivery reliability, password reset success rates, and the trust signal that consistent transactional delivery builds with users who know they can rely on system messages from the product to arrive immediately.
Operational Checklist: Setting Up Transactional Infrastructure Correctly
For teams configuring dedicated transactional infrastructure for the first time, the following checklist covers the setup requirements that must be verified before the first transactional message is sent from the new pool.
Authentication: DKIM 2048-bit key published for the transactional sending domain. SPF record updated to cover the transactional IP address. DMARC record published at the transactional domain (or parent domain if using subdomain inheritance). FCrDNS verified for the transactional IP — the PTR record and the A record resolve to each other consistently. Send a test message and verify Authentication-Results shows dkim=pass and spf=pass with the transactional domain.
PowerMTA configuration: Separate virtual MTA for the transactional pool with the IPs that are not shared with any promotional pool. queue-life set to match the most latency-sensitive message type (OTP validity window or 1 hour, whichever is shorter). max-msg-per-connection set to 1. retry-after starting at 30 seconds. Domain blocks for the major ISPs configured with transactional-appropriate settings (faster retry, no pipelining).
Application injection: The sending application routes messages by type — transactional types (OTP, receipt, reset, account notification) inject to the transactional SMTP endpoint; all other message types inject to the promotional endpoint. Verify the routing logic by sending test OTP and test promotional messages and confirming each appears in the correct pool's accounting log.
Monitoring: Queue depth alert configured for the transactional pool (trigger at 50+ messages queued). DNSBL monitoring configured for all transactional IPs with 15-minute check intervals. Delivery latency monitoring extracting the time-from-injection to ISP-acceptance from the accounting log for all transactional message types. PagerDuty or equivalent alerting configured for any transactional-pool P1 condition (blacklisting, queue depth above threshold, delivery rate below 99%).
Failover: Secondary SMTP endpoint configured in the sending application. Failover MTA or failover IP provisioned and tested. Monthly failover test documented: route 50 test transactional messages through the secondary and verify delivery rate and latency are within acceptable bounds. Failover activation procedure documented and accessible to on-call staff without requiring senior engineering involvement.
Completing this checklist before the first transactional message is sent from new infrastructure ensures that the foundation is correct and verified, rather than discovering gaps during a live production event where the cost of delay is measured in user experience failures rather than testing overhead.
Infrastructure Assessment
Our managed infrastructure includes dedicated transactional pools with isolated IPs, latency-optimised PowerMTA configuration, real-time DNSBL monitoring with 15-minute check intervals, and documented failover protocols for transactional continuity. Transactional and promotional traffic are never mixed. Request assessment →