How managed email infrastructure actually works

Email delivery looks simple: you click send, the email arrives. What happens between those two events involves five distinct technical layers, ISP filtering systems processing hundreds of signals in real time, cryptographic authentication, reputation databases, and feedback loops that determine inbox, spam, or block. This guide explains all of it — written by engineers who operate 8 billion+ emails per month.

Ready to move forward?

Talk to an engineer about your infrastructure requirements.

Request assessment
Live stats
Monthly volume8B emails
Avg time-to-inbox1.3s
Global inbox rate97.4%
Dedicated IPs30,720+
View live status →

The complete email delivery chain

Every email you send passes through a specific sequence of technical steps. Understanding this chain explains why email deliverability is complex, why it requires ongoing management, and where things go wrong.

Application
Your app / ESP
SMTP Relay / MTA
PowerMTA cluster
Authentication
SPF, DKIM, DMARC
DNS Resolution
MX lookup
ISP Inbound
Receiving MX
Filtering Engine
Spam / reputation
Inbox / Folder
Delivery outcome
Feedback Loop
Bounces, FBLs

Click any step to expand

Step 1: Your Application

The delivery chain begins when your application or marketing platform decides to send an email. It establishes an SMTP connection to the relay server via SMTP AUTH on port 587 (STARTTLS) or via HTTP API call to our Mailgun/SendGrid-compatible endpoint.

At this stage, the email is a raw MIME message: headers (From, To, Subject, Message-ID, Date), body content (HTML and/or plain text), and any attachments. The application provides the envelope sender (MAIL FROM), recipient (RCPT TO), and message data (DATA). Our relay receives this and takes over all subsequent delivery work.

  • Supported: SMTP AUTH port 587 STARTTLS, port 465 TLS, Mailgun v3 HTTP API, SendGrid Web API v3
  • Max message size: 50MB configurable per client
  • Auth: SMTP AUTH PLAIN/LOGIN, or Bearer token for HTTP API

Step 2: SMTP Relay / MTA Processing

PowerMTA validates the SMTP envelope, checks sender credentials, adds required headers (DKIM signature, Message-ID if missing, Received header), and routes the message to the appropriate virtual MTA based on sending domain and client configuration.

PowerMTA maintains per-domain queues and applies ISP-specific throttle settings. Gmail gets different concurrent connection limits and message rates than Outlook, Yahoo, or GMX. These configurations are actively tuned based on ISP feedback signals (4xx and 5xx response codes) observed in real-time delivery attempts.

  • PowerMTA 6.x processes each message against the client virtual MTA configuration
  • DKIM signature applied using per-domain private key (2048-bit RSA)
  • Message queued to appropriate IP pool based on sending domain
  • ISP-specific concurrency and rate limits applied before outbound connection

Step 3: Authentication Headers

Before the message leaves our infrastructure, authentication headers are applied. DKIM signing computes a cryptographic signature over specified headers and the message body using the private key for the sending domain. The signature is added as a DKIM-Signature header.

The receiving ISP will use the public key (published in DNS as a TXT record) to verify this signature. A valid signature proves the message was sent by authorized infrastructure and that headers/body were not modified in transit.

  • DKIM-Signature added with d= (signing domain), s= (selector), h= (signed headers), bh= (body hash), b= (signature)
  • SPF enforced at envelope level — MTA sends from IP authorized in domain SPF record
  • DMARC alignment achieved when DKIM d= matches From: header domain

Step 4: DNS Resolution

To deliver the message, PowerMTA resolves the recipient domain's MX records via DNS. An MX lookup for gmail.com returns multiple MX records with priority values. PowerMTA attempts delivery to the highest-priority MX first.

  • NXDOMAIN (domain doesn't exist) = permanent hard bounce, immediate suppression
  • SERVFAIL / timeout = temporary failure, retry with backoff
  • PTR (reverse DNS) lookup on our sending IP by recipient MTA — must resolve correctly

Step 5: ISP Inbound MTA

PowerMTA establishes an SMTP connection to the recipient ISP's inbound MTA. At connection time, the ISP checks: reverse DNS on our sending IP, IP against blocklists, HELO/EHLO hostname, and connection rate limits.

SMTP response codes carry critical information: 250 (accepted), 421/450/451 (temporary rejection), 550/551/554 (permanent rejection). PowerMTA interprets these and schedules retries or generates bounces accordingly.

  • 250 = accepted for processing (not yet in inbox)
  • 4xx = temporary rejection — PowerMTA retries with exponential backoff
  • 5xx = permanent rejection — bounce generated, address suppressed

Step 6: Filtering Engine

After the ISP's inbound MTA accepts the message (250), it passes through the filtering engine. Gmail's neural network classifiers, Microsoft's Defender ML model, and Yahoo's Meridian system each make independent decisions: inbox, promotions tab, spam, or silent discard.

These decisions use hundreds of signals: IP reputation, domain reputation, DKIM alignment, DMARC policy, content analysis, URL reputation, sender history, recipient engagement history, and many proprietary signals. This is why inbox placement cannot be guaranteed by any infrastructure provider — only optimized.

  • Gmail: neural classifier, reputation signals visible via Google Postmaster Tools
  • Outlook/Microsoft 365: Defender ML model, SNDS for sender reputation visibility
  • Yahoo: Meridian spam classification, FBL program for complaint rate monitoring

Step 7: Inbox / Folder Placement

Four possible outcomes: Inbox (primary), Inbox (promotional/social tab), Spam/Junk, or Silent discard. Silent discard is the worst outcome — the ISP accepted the message (250) but never delivered it. No bounce is generated, making it invisible without seed account monitoring.

We track inbox placement through seed accounts maintained at major ISPs. These accounts receive monitoring messages and report folder placement — producing the ISP-specific delivery performance metrics on our status page.

Step 8: Feedback Loops

Two types of feedback return to our infrastructure. Bounces (DSNs) are processed by our Intelligence Bounce™ classification engine, which categorizes each bounce and applies appropriate suppression logic. FBL complaints (when a recipient clicks "Report as spam") are processed through our FBL pipeline, which extracts the complainant's address and adds it to the suppression list immediately.

8
Steps in every
delivery chain
<2s
Average chain
completion
200+
ISP signals
processed per message
50+
DNSBLs checked
every 4 hours

DNS & email authentication: SPF, DKIM, DMARC, BIMI

Email authentication is not a feature — it is the foundation that everything in email delivery is built on. Google's February 2024 bulk sender requirements made DMARC mandatory for anyone sending more than 5,000 emails per day to Gmail. Without properly configured authentication, even the best-managed dedicated infrastructure will struggle to reach the inbox consistently.

SPF

Sender Policy Framework (SPF)

SPF is a DNS TXT record that specifies which IP addresses are authorized to send email for a domain. When an ISP receives a message, it checks the sender's domain SPF record against the sending IP. A failing SPF check is a significant negative reputation signal, and in DMARC-enforced environments, it can cause rejection.

# SPF record for your sending domain
sending.yourdomain.com. IN TXT "v=spf1 ip4:185.220.xx.0/24 include:_spf.cloudserverforemail.com ~all"

# v=spf1 version declaration (required)
# ip4:... your dedicated sending IP range authorized
# include:... our infrastructure SPF record included
# ~all softfail for all else (use -all after validation)

Critical SPF constraint: it only protects the envelope sender (MAIL FROM), not the From: header recipients see. DMARC alignment is required to enforce the relationship between envelope sender and visible From: header. SPF also has a 10 DNS lookup limit — exceeding it causes permanent SPF failures. Our onboarding review always includes SPF lookup chain analysis.

DKIM

DomainKeys Identified Mail (DKIM)

DKIM adds a cryptographic signature to outgoing messages that allows the receiving ISP to verify the message was sent by infrastructure authorized to sign for the From: domain and that content was not modified in transit. It is the most robust authentication standard and the one ISPs rely on most heavily for reputation attribution.

# DKIM public key DNS record
selector1._domainkey.yourdomain.com. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEF..."

# DKIM-Signature header added to each outgoing message:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=yourdomain.com; s=selector1;
  h=from:subject:date:message-id;
  bh=SHA256(body);
  b=RSA-SHA256-signature

We use 2048-bit RSA keys for all client DKIM configurations. Key rotation is managed proactively — expired keys are a common cause of sudden authentication failures. DKIM reputation is domain-level, not IP-level, meaning positive reputation is portable across infrastructure changes as long as the signing domain stays consistent.

DMARC

Domain-based Message Authentication, Reporting & Conformance (DMARC)

DMARC brings SPF and DKIM together under a policy that tells ISPs what to do when authentication fails. It also provides reporting so you can see what is being sent using your domain — including unauthorized senders you may not know about.

# Stage 1: Monitor (no enforcement, collect data)
_dmarc.yourdomain.com. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100"

# Stage 2: Quarantine (failing messages go to spam)
_dmarc.yourdomain.com. IN TXT "v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@yourdomain.com"

# Stage 3: Reject (failing messages blocked entirely)
_dmarc.yourdomain.com. IN TXT "v=DMARC1; p=reject; pct=100; rua=mailto:dmarc@yourdomain.com"

As of February 2024, Google requires p=none minimum for bulk senders, with progression toward p=quarantine. Microsoft Defender treats DMARC alignment as a primary trust signal regardless of policy level. We recommend p=quarantine for all production sending and p=reject as the long-term target.

Authentication standards comparison

StandardWhat it protectsWhere configuredRequired for Gmail bulk (2024+)
SPFEnvelope sender (MAIL FROM)Sender domain DNS TXTYes
DKIMMessage integrity + signing domainSelector subdomain DNS TXTYes
DMARCFrom: header alignment + policy enforcement_dmarc.domain DNS TXTYes (p=none minimum)
BIMIBrand verification + logo display in inboxdefault._bimi.domain DNS TXTNo (recommended)
MTA-STSTLS enforcement for inbound deliverymta-sts subdomain + DNS TXT + policy fileNo (improves security)

MTA architecture and message routing

The Mail Transfer Agent (MTA) is the software that manages transmission from your infrastructure to recipient ISPs. PowerMTA is the industry-standard high-performance MTA for dedicated email infrastructure. Understanding how it works explains why managed dedicated infrastructure performs fundamentally differently from shared ESP platforms.

01

Virtual MTAs and IP pool architecture

PowerMTA uses a virtual MTA (VMTA) architecture allowing multiple logical sending identities to operate on the same physical server, each with its own IP pool, DKIM keys, throttle settings, and queue management. This provides complete separation between client sending streams — one client's reputation problems cannot affect another's delivery.

Virtual MTA Structure

  • Each client has a dedicated VMTA
  • VMTA bound to client-specific IP pool
  • Separate queue per destination domain
  • Per-domain DKIM signing keys
  • Independent throttle settings per ISP per VMTA
  • Complete log separation between clients

Message Routing Logic

  • Envelope sender domain → VMTA assignment
  • Recipient domain → ISP-specific throttle profile
  • Traffic type tag → bulk vs transactional routing
  • Round-robin across IP pool
  • Auto re-routing when IP receives 421/450
  • Per-IP reputation monitoring feeds routing
02

ISP-specific throttle configuration

Every major ISP has different tolerance for connection rates, messages per connection, and concurrent connections. Properly configured throttles maximize throughput within ISP tolerances without triggering deferrals.

ISPMax concurrent connectionsMessages per connectionKey configuration note
Gmail20–50 (reputation-dependent)100 per connectionSeparate pools for consumer vs Workspace
Outlook / Microsoft 3655–20 (IP reputation-dependent)50 per connectionSNDS color status affects connection limits
Yahoo Mail10–30100 per connectionFBL enrollment required for complaint visibility
GMX / Web.de5–1550 per connectionStricter content filtering; monitor 550 codes closely
iCloud Mail2–1020 per connectionApple implements strict engagement scoring
OVH / La Poste3–820 per connectionEU-specific filtering rules; 30-min minimum retry

ISP filtering and reputation systems

Inbox placement is determined by each ISP's filtering engine — a machine learning system processing hundreds of signals per message in milliseconds. These systems are not static rule-based spam filters. They are trained on billions of labeled examples and update continuously.

04

The four signal categories ISP filters use

Understanding what signals influence filtering decisions is the foundation of effective deliverability management. These signals fall into four main categories, each carrying different weight at different ISPs.

Sender Reputation

  • IP sending history and volume trends
  • IP complaint rate (spam reports)
  • IP hard bounce rate
  • IP blocklist presence
  • Domain reputation (separate from IP)
  • DKIM signing domain history

Engagement Signals

  • Historical open rate for this sender
  • Historical reply rate
  • Delete-without-open rate
  • Mark-as-spam rate
  • Move-to-folder behavior
  • Per-recipient engagement (Gmail personalizes)

Content Signals

  • URL reputation (clicked links, tracked domains)
  • HTML structure anomalies
  • Image-to-text ratio
  • Subject line patterns
  • Header structure anomalies
  • Unsubscribe header presence and validity

Infrastructure Signals

  • DMARC alignment result
  • DKIM signature validity
  • SPF pass/fail
  • TLS connection presence
  • PTR record valid and consistent
  • IP age and registration history
05

ISP monitoring tools for senders

Each major ISP provides tools that expose some of their reputation signals. These are the primary intelligence source in our daily monitoring protocol.

📊
Google Postmaster Tools
Domain and IP reputation
BAD / LOW / MEDIUM / HIGH
Also: spam rate, delivery errors, DMARC pass rate, encryption rate. Updated daily. Requires domain verification.
📈
Microsoft SNDS
Per-IP reputation color
GREEN / YELLOW / RED
Also: message volume, complaint rate, trap hits, Defender assessment. Updated daily. IP must be registered.
📫
Yahoo JMRP FBL
Per-message complaint reports
ARF per complaint
Real-time complaint reports in ARF format. Requires FBL registration. Used for complaint-based suppression.
🔍
DMARC Aggregate Reports
Daily authentication data
XML per-ISP reports
Pass/fail breakdown by source IP with volume data from all participating ISPs. Requires rua= tag in DMARC record.

Bounce processing and feedback loop management

Bounce processing is one of the most critical parts of email infrastructure. Mishandled bounces damage IP reputation, waste sending capacity, and cause list growth without delivery value. Our Intelligence Bounce™ system classifies every bounce and applies appropriate suppression logic automatically.

The five bounce categories

Permanent (Hard Bounce)

User or domain does not exist

Definitively invalid address or domain. Immediate permanent suppression. Never retry.

550 5.1.1 User unknown
550 5.1.2 Bad destination
NXDOMAIN
Transient (Soft Bounce)

Temporary delivery failure

Mailbox full, server temporarily unavailable. Retry appropriate. Suppress after threshold.

452 4.2.2 Mailbox full
421 4.7.0 Try again later
451 4.3.0 Temp failure
Policy

ISP policy rejection

Rate limiting, attachment policy, domain policy. Adjust sending approach before retry.

550 5.7.1 Policy rejection
554 5.7.9 Message blocked
421 4.7.0 Too many conn.
Reputation

IP or domain reputation block

Requires IP recovery action before retry. Immediate alert triggered for our team.

550 5.7.1 IP blocked
554 Service unavailable
550 SC-001 (Microsoft)
Content

Content-based rejection

Message content triggered filtering. Content review required. May indicate list quality issues.

550 5.7.1 Content rejected
554 5.7.0 Filtered
550 EC102
FBL

Feedback Loop (FBL) processing

When a recipient clicks "Report as spam," ISPs that operate FBL programs send a complaint copy back to our processing pipeline. This is the most direct signal of list quality problems.

1

Complaint generated

Recipient clicks "Report Spam" in Yahoo Mail, Outlook, or another FBL-participating ISP. The ISP generates an ARF (Abuse Reporting Format) message.

2

ARF delivered to our FBL endpoint

Our system receives and parses the ARF within minutes. Gmail does not operate a traditional FBL — complaint rate is visible via Postmaster Tools but individual complaint addresses are not exposed.

3

Immediate suppression applied

The complainant's address is added to the client's suppression list immediately. No further emails sent. Complaint counted in the client's complaint rate metrics.

4

Complaint rate monitoring

Rolling 7-day complaint rate tracked per domain and per IP. Alerts trigger at 0.08% (Google's warning threshold) — proactive action before reaching Google's 0.3% enforcement threshold.

Monitoring and daily operations

The difference between managed and unmanaged infrastructure is not the initial configuration — it is what happens after the first email is sent. Deliverability is a dynamic state that changes continuously. The configuration producing 97% inbox placement this month may produce 82% next month if nobody is watching.

06

Our daily monitoring protocol

Every client environment goes through this monitoring cycle every business day. This is not automated alerting only — it involves an engineer reviewing data and making decisions.

1

Google Postmaster Tools review (06:00–08:00 UTC)

Domain reputation, IP reputation, spam rate, DMARC compliance rate reviewed for all sending domains. Domain reputation below MEDIUM or IP below HIGH triggers investigation.

2

Microsoft SNDS verification (08:00–09:00 UTC)

SNDS status checked for every IP. Green = acceptable. Yellow = investigation required. Red = immediate action: IP removed from rotation, replacement IP warming initiated.

3

DNSBL scan (every 4 hours, automated)

All 30,000+ IPs (30+ /21 pools) scanned against 50+ DNSBL providers including Spamhaus SBL/XBL/PBL, Barracuda BRBL, SORBS, SpamCop. New listings generate immediate alerts.

4

FBL queue review (continuous + daily summary)

Complaint volumes reviewed per client, per domain, per IP. Rising complaint trends investigated before reaching ISP enforcement thresholds.

5

Bounce rate analysis (twice daily)

Hard and soft bounce rates reviewed per client. Hard bounce rate above 2% triggers investigation. Bounce pattern analysis identifies list hygiene issues.

6

Monthly configuration review

ISP-specific throttle configurations, DKIM key ages, SPF validity, and DMARC policy reviewed. Configuration updates applied based on ISP behavior changes over the prior month.

IP warming: the new IP introduction process

A new IP address has no sending history — no reputation, positive or negative. ISPs treat unknown IPs with heightened scrutiny. IP warming is the structured process of building positive reputation by demonstrating consistent, high-quality sending behavior over weeks. Compressing or skipping this process causes permanent reputation damage that can take months to recover.

07

Representative 12-week warming schedule

This is a representative schedule for migrating 1 million monthly emails to new dedicated IPs. Actual schedules are calibrated to list engagement data, ISP distribution, and real-time ISP feedback signals. The schedule is a guide, not a calendar — if negative signals appear, the ramp pauses regardless of week number.

Week 1

500 → 2,000/day

Send exclusively to highest-engagement segment (opened in last 30 days). Keep complaint rate below 0.05%. Monitor Postmaster Tools daily. BAD reputation = pause and investigate.

Week 2

2,000 → 8,000/day

Expand to 60-day openers if Week 1 metrics are clean. First SNDS data available for Microsoft IPs. Gmail Postmaster Tools shows first data around day 5–7 when volume is sufficient.

Weeks 3–4

8,000 → 30,000/day

Expand to 90-day openers. Volume increase non-linear — doubling every 5–7 days if metrics remain clean. Configure ISP-specific domain blocks for full production settings.

Weeks 5–6

30,000 → 100,000/day

Introduce 180-day openers. IP reputation in Postmaster Tools should show MEDIUM or HIGH by end of week 6. SNDS should show Green. Yellow flags = reduce volume and investigate.

Weeks 7–9

100,000 → 300,000/day

Begin introducing inactive segments (6–12 months) if needed. Monitor complaint rate carefully — inactive-recipient complaint rates are significantly higher than engaged-recipient rates.

Weeks 10–12

300,000 → Full volume

Complete migration to full production volume. IP reputation should be stable at HIGH (Gmail) and Green (Microsoft). Parallel operation with existing infrastructure wound down after 2-week validation.

Client onboarding: weeks 1 through 12

Onboarding to dedicated managed infrastructure is a structured migration involving infrastructure provisioning, DNS configuration, authentication validation, warming schedule development, and traffic migration — all managed to ensure no delivery interruption to existing sending programs.

1

Week 1: Technical assessment and environment design

Engineering call to understand current infrastructure, sending volume, traffic type distribution, ISP breakdown, current authentication status, and delivery performance. Based on this, we design the IP pool structure, VMTA configuration, and warming schedule specific to the client's needs.

2

Weeks 2–3: Infrastructure provisioning and authentication setup

Servers provisioned, PowerMTA installed to production standards. PTR records on all sending IPs, DKIM keys generated and DNS records published, SPF record updated, DMARC confirmed, BIMI record prepared if applicable. All authentication validated before any email is sent.

3

Weeks 4–10: IP warming with parallel operation

Warming begins while client continues sending from existing infrastructure. Parallel operation ensures no delivery interruption. Volume migrates from existing infrastructure to new IPs as warming progresses and reputation metrics confirm readiness.

4

Weeks 8–12: Traffic migration and wind-down

As new IP reputation stabilizes, traffic migrates from old infrastructure. Done at routing level — the client's sending application continues operating normally, only the SMTP endpoint changes. Existing infrastructure kept on standby during 2-week validation before decommissioning.

5

Week 12+: Full production operation

Fully operational on managed dedicated infrastructure. Daily monitoring protocol active. Monthly configuration review scheduled. Client has direct engineer contact (not a ticket queue). Full environment configuration documentation delivered.

Managed infrastructure vs. DIY dedicated servers

Running your own PowerMTA installation on a rented server is technically possible. Understanding what it actually requires — and what you give up when you manage it without specialization — is the clearest way to understand the value of managed infrastructure.

Area DIY Dedicated Server Cloud Server for Email (Managed)
Initial configurationYou configure PowerMTA, DNS, authentication, throttles. Significant expertise required.We configure to production standards. Validated before first email sent.
IP warmingYou design and execute. Mistakes are costly and slow to recover from.We design, execute, and monitor. Adjust in real time to ISP signals.
Blacklist monitoringManual or DIY alerting. Typically discovered after delivery impact.50+ DNSBLs scanned every 4 hours. Alerts before client notices impact.
Google Postmaster ToolsYou review if you know to. No action framework.Reviewed daily by deliverability engineer. Proactive action.
Microsoft SNDSAvailable but complex. Requires manual enrollment per IP.All IPs enrolled. Reviewed daily. Yellow = immediate action.
FBL processingRequires enrollment, ARF parser, suppression integration. DIY complexity.FBL enrolled, parsed, and suppression applied automatically.
Incident responseYou discover and respond. Learning curve for each new incident type.We detect, diagnose, and resolve. Post-mortem delivered.
Configuration maintenanceConfiguration drift over time. ISP changes may not be implemented.Monthly review. ISP requirement changes implemented proactively.
GDPR complianceYour responsibility to ensure compliance.EU data residency guaranteed. DPA provided. CIPP/E advisory included.
Time investmentSignificant ongoing time from whoever manages it.Zero time from client. Engineering effort is on our side.
Cost modelServer + PowerMTA license (~€1,500/yr) + staff time.Flat monthly fee. No PowerMTA license cost. No hidden operations cost.

The ten most common infrastructure failure points we prevent

These are the failure modes we see most frequently when clients come to us from DIY setups or shared ESPs. Each is preventable with proper managed infrastructure.

1

DKIM key expiry or misconfiguration

DKIM keys generated and forgotten. Expiry or rotation failures cause sudden authentication failures that appear without warning. We manage key rotation proactively.

2

SPF over-lookup limit

SPF records exceeding 10 DNS lookups fail permanently. Adding a new sending vendor without reviewing the SPF chain is the most common trigger.

3

Unmonitored blacklist listings

IPs listed on Spamhaus or other DNSBLs silently accumulate delivery impact. Without monitoring, listings persist and grow until clients notice complaint-level problems.

4

Microsoft SNDS Yellow/Red without response

Without daily monitoring, Yellow turns Red, and Red means all mail from that IP goes to Outlook junk or is blocked entirely. Early detection is critical.

5

Complaint rate drift above Google threshold

Google's warning threshold is 0.08%, enforcement is 0.3%. Most senders don't monitor complaint rate until Google sends a policy notification — by which point domain reputation has already degraded.

6

FBL not enrolled — complaints invisible

Without FBL enrollment, Yahoo and Microsoft complaints are invisible. Same users keep receiving email, complaint rate accumulates, IP reputation degrades with no suppression mechanism to stop it.

7

Hard bounce not suppressed

Continuing to send to hard-bounced addresses is one of the clearest signals of poor list management that ISPs observe. Must be permanently suppressed immediately upon first bounce.

8

Calendar-based warming ignoring ISP signals

Rigid warming schedules that ignore ISP feedback cause failures. If Gmail shows increased deferral rates, the volume ramp must pause regardless of what week it is in the schedule.

9

PTR record missing or mismatched

Missing or mismatched PTR records cause connection-level rejections at some ISPs and significantly increase spam scoring at others. Validated during onboarding and monitored thereafter.

10

Configuration drift after initial setup

ISP requirements evolve. Google's 2024 requirements changed the bar for DMARC, one-click unsubscribe, and complaint rate thresholds. Infrastructure configured correctly in 2022 may be misconfigured today. Configuration must be reviewed continuously.

Frequently asked questions

What is the difference between SMTP relay and a dedicated email server?

A dedicated email server means you have your own server running an MTA like PowerMTA. A managed SMTP relay means your application connects to our infrastructure which handles ISP delivery using your assigned dedicated IPs. The distinction: in both cases you get dedicated IPs. The difference is whether you or we manage the MTA software, configuration, and daily operations.

How long does IP warming take, and can it be accelerated?

Typically 8–12 weeks for high-volume programs (1M+ emails/month). The timeline is determined by ISP feedback signals, not a calendar. You cannot safely compress below what ISPs signal is appropriate — attempting to do so causes deferral and complaint rates to spike, damaging the reputation you are building. For lower volume programs (below 200K/month), warming can complete in 4–6 weeks.

Can I migrate from SendGrid or Mailgun without downtime?

Yes. Migration is always done with parallel operation — your existing sending continues normally while the new infrastructure warms up. Once IPs are warmed and reputation metrics are stable, we switch your application's SMTP endpoint or API base URL. If you use our API-compatible relay layer, this requires no code modifications. We have completed 200+ migrations from shared ESP platforms without delivery interruption.

What happens if one of my sending IPs gets blacklisted?

We scan all 30,000+ IPs (30+ /21 pools) against 50+ DNSBL providers every 4 hours. New listings generate immediate alerts. The affected IP is removed from rotation, traffic rerouted to clean IPs, and our team investigates the cause. We manage the delisting request process with the relevant DNSBL providers.

Do you support both bulk email and cold outreach on the same infrastructure?

We support both, but never on the same IP pool. Bulk email (opted-in lists) and cold outreach have fundamentally different risk profiles. Mixing them causes cold outreach complaint rates to damage bulk sending IP reputation. We operate separate IP pools, separate VMTA configurations, and separate warming programs for each traffic type — this is one of the most important architectural decisions in email infrastructure design.

What does GDPR compliance mean specifically for email infrastructure?

Email logs containing recipient addresses and delivery data are personal data under GDPR, requiring a legal basis for processing and defined retention periods. Using US-based ESP infrastructure may create Schrems II transfer issues without adequate safeguards. Our EU-based infrastructure ensures all email processing data stays in the EU. We provide a DPA that covers our role as data processor — a standard requirement for enterprise compliance teams.

Ready to put this into practice?

Talk to an engineer about your specific infrastructure requirements. We'll review your current setup and design an environment appropriate for your volume and use case.

45–60 min with an engineer. No commitment required.