There is a version of the email infrastructure conversation that gets everything backwards. Someone reads that Email APIs are the modern answer, or that PowerMTA is what serious senders use, and decides to build accordingly — before checking whether a plain SMTP relay would have solved the same problem with less code and fewer vendor dependencies. For most transactional workloads, it would have. Knowing when that is still true, and when it stops being true, is the actual skill.
Key takeaways
- A well-run SMTP relay handles the overwhelming majority of transactional workloads — password resets, receipts, 2FA, shipping updates, operational alerts — without needing an Email API or a dedicated MTA.
- The threshold where relay stops being enough is rarely pure volume. It is the point at which per-message observability, per-tenant isolation, or structured event streams start to matter for the product.
- Authentication posture is the same whether you send over relay or API: SPF, DKIM, DMARC, aligned, with 2048-bit DKIM keys and a published policy record. The 2024-2025 rule shift does not privilege one protocol over the other.
- Stream isolation matters for transactional reliability. The minimum responsible posture is a separate IP pool for transactional mail, even if the volume alone does not require it.
- The decision to move beyond relay should be driven by concrete product needs — webhooks, template versioning, multi-tenant suppression — not by the assumption that "modern means API."
What "transactional" actually means
The word gets thrown around loosely, which makes the design conversation harder than it needs to be. A transactional email, in the tight sense used by inbox providers and compliance frameworks, is a message triggered by an individual user action or system event, sent to a single recipient, carrying information that recipient has an active interest in. Password resets, order confirmations, 2FA codes, receipts, shipping updates, account alerts, form submission acknowledgements — all transactional.
What is not transactional, even though teams sometimes call it that: weekly product digests, feature announcements, onboarding drip campaigns, re-engagement emails, promotional offers. These are lifecycle or marketing mail. They may share some of the triggering mechanics of transactional mail (they are automated, they go to a single recipient), but inbox providers treat them differently, and the sending infrastructure should too.
The reason this definition matters is legal and operational. Transactional email in most jurisdictions is exempted from opt-in requirements and some unsubscribe obligations, precisely because it is considered necessary for the service the user signed up for. Wrapping marketing content inside transactional emails to dodge those obligations used to be a common trick; it is now a reliable way to attract regulatory attention and reputation damage at the same time. Keep the two streams clean.
Where SMTP relay is the right answer
A transactional SMTP relay is a service that accepts messages via standard SMTP on port 587 or 465, authenticates the sender with a username and password, and hands the message to an outbound MTA that takes care of signing, queueing, retries, and delivery. From the application's perspective, sending an email is four lines of code and a network round-trip. That simplicity is the feature.
The workloads that relay handles without complaint
- Password reset flows. A single message triggered by a user clicking "Forgot password." The application needs to know the message went out, not every downstream event.
- Receipts and invoices. Triggered on successful payment, sent once, read or filed by the recipient. Delivery confirmation is enough.
- Two-factor authentication codes. Time-sensitive, sent to one person, read within seconds or discarded. Observability requirements beyond "did it arrive?" are minimal.
- Shipping and fulfillment updates. Event-driven notifications that the carrier or warehouse system generated. The application does not need fine-grained analytics on these.
- Administrative alerts. Password changes, new device sign-ins, billing-method updates. One-to-one, read once, no engagement tracking needed.
- System-generated internal notifications. Cron jobs, monitoring alerts, report-generation completions. Often sent from applications that only speak SMTP anyway.
- Form submission acknowledgements. A user submits a contact form; the system emails them a confirmation. Simple, low-volume, protocol-agnostic.
Every item above has the same shape: one user, one event, one message, delivery confirmation is the main observability need. Running any of this through a bespoke Email API integration is not wrong, but it is rarely faster, cheaper, or more reliable than a relay.
Why relay is still the quiet default
Most of the world's transactional email moves through SMTP. The reason is not technical superiority — it is operational inertia working in the sender's favor. Applications written in any language since the 1990s already have mature SMTP libraries. Deployment platforms expose SMTP credentials as standard environment variables. Operations teams already know how to read SMTP logs. Starting from that baseline, adding an Email API integration needs a real justification — some feature the API provides that the application actually needs.
The workloads that exceed relay comfortably
Relay's limits are real, but they show up at a specific set of workload boundaries rather than at a raw volume threshold. When the application's requirements cross one of these boundaries, the SMTP contract starts feeling like a workaround rather than a fit.
| Requirement | Why it exceeds relay | Typical next step |
|---|---|---|
| Per-message engagement tracking | Relay exposes accept/reject and bounce events; opens and clicks require separate infrastructure | Add an Email API or webhook pipeline |
| Multi-tenant suppression | Each customer needs an isolated suppression list with their own bounces and complaints | API with tenant scoping, or per-tenant relay credentials |
| Template versioning and server-side rendering | Relay sends what the app gives it; no templates live in the provider | Email API with template management |
| Idempotency keys | SMTP lacks native idempotency; retries can duplicate messages without application discipline | Email API with idempotency support |
| Per-tenant rate limits | Provider rate limits apply to the whole account, not per tenant | API or MTA with programmable throttling |
| Structured metadata for analytics | SMTP requires encoding metadata into custom headers; parsing is provider-specific | API with first-class metadata fields |
| High-throughput batch personalization | Per-recipient rendering at 1,000+ messages per request is awkward over SMTP | API with batch endpoints |
| Scheduled sends with cancellation | Not part of the SMTP specification; requires application-side queueing | API with scheduling support, or a local job queue |
Read the table from the product side inward. If the application needs none of those capabilities, relay is still the right answer. If the application needs two or three, the cost-benefit of switching to an API starts tilting. If it needs five or more, you are already building API functionality on top of a relay, and the consolidation is usually worth the migration effort. For the deeper architectural comparison, see SMTP Relay vs Email API.
Volume thresholds, updated for late 2025
Volume alone is a weaker decision signal than most teams assume, but it is not irrelevant. The table below is a working guide for late 2025, after nineteen months of Gmail and Yahoo enforcement and four months of Microsoft parity rules. Numbers are directional; every row assumes clean lists and correct authentication.
| Monthly volume | Comfortable fit | Observability needs | Recommended path |
|---|---|---|---|
| < 50k | Shared SMTP relay | Delivery confirmation, basic bounce handling | Stay on relay; focus on authentication hygiene |
| 50k – 250k | Shared relay or small dedicated IP | Bounce classification, complaint tracking | Consider dedicated IP only if complaint rates are creeping up |
| 250k – 1M | Dedicated IP on relay or Email API | Per-message events start mattering | Evaluate API if product features need the event stream |
| 1M – 5M | API with dedicated IP, or relay with MTA tuning | Multi-tenant scoping, structured analytics | Path depends on product complexity, not volume |
| 5M – 25M | Dedicated MTA (PowerMTA) with stream separation | Full operational telemetry | Operate as its own practice; see the PowerMTA conversation |
| > 25M | MTA cluster with managed deliverability | Per-ISP policies, continuous monitoring | Dedicated team or managed partner |
Notice the overlap zones. Between 250k and 1M per month, neither "stay on relay" nor "move to API" is obviously right. That range is where product requirements — not volume — should drive the decision. A SaaS product that needs per-tenant suppression at 300k/month has a stronger case for API than a monolithic e-commerce platform sending 800k/month of receipts that only need delivery confirmation.
Latency expectations and SLA math
Transactional mail has a latency budget, and the budget is usually tight. A password reset that arrives four minutes after the user requested it is functionally broken — the user has already tried again or given up. A 2FA code that arrives after the code has expired is worse than not arriving at all. Understanding the realistic latency envelope of relay-based sending makes the SLA conversation concrete.
The numbers tell a clear story. For single-recipient transactional messages under normal conditions, end-to-end delivery from application send to inbox arrival is consistently under a minute. Deferrals, queueing and backoffs can stretch that envelope in edge cases, but the base case is fast.
Where SLAs break down is not usually the relay itself — it is the application's retry logic around a transient failure. If the SMTP connection errors out mid-session and the application does not retry cleanly, the user gets no message and the operations team gets a support ticket. Designing retries with exponential backoff and jitter, rather than immediate re-attempts or give-ups, is the single biggest delivery-reliability improvement most transactional programs can make.
Authentication posture for transactional domains
The authentication baseline is non-negotiable in late 2025, and the relay versus API choice does not change it. Every sending domain needs SPF, DKIM, and DMARC, aligned, with appropriate policy strength. For the full setup walkthrough, see email authentication for growing senders. The specifics for transactional mail are worth stating clearly.
SPF for the transactional domain
The SPF record should list every source that legitimately sends from the domain — the relay, any backup relay, any internal mail system. The closing mechanism should be -all for transactional domains, not ~all. Transactional mail rarely has the legitimate "unknown source" problem that might justify the softer posture, and a strict SPF record is easier to defend when something goes wrong.
DNSapp.example.com. IN TXT "v=spf1 include:spf.authorizehosting.com -all"
DKIM with 2048-bit keys
Use 2048-bit keys, not the 1024-bit defaults that some older configurations still carry. Rotate keys annually. If the domain sends from multiple providers (e.g., a transactional relay for password resets and a separate system for operational alerts), each provider needs its own DKIM selector. Missing a selector causes silent DMARC failures on part of the traffic.
DMARC strength for transactional mail
Unlike cold outreach domains, transactional domains usually benefit from a stronger DMARC policy. Start at p=none with aggregate reporting for two to four weeks to confirm alignment. Move to p=quarantine when the reports show clean alignment from all sources. Most mature transactional programs run at p=reject on the main domain, because the cost of a single spoofed message hitting a customer inbox is high.
DNS_dmarc.example.com. IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; adkim=s; aspf=s; pct=100"
adkim=s, aspf=s) is often the right choice — it catches spoofing attempts that relaxed alignment would miss. Domains that send from multiple subdomains through different relays should stay on relaxed alignment to avoid false positives.
What Microsoft's May 2025 parity added
The Microsoft enforcement that took effect May 5, 2025, brought Outlook.com, Hotmail.com, and Live.com into line with Gmail and Yahoo. For transactional mail specifically, two implications deserve attention. First, reverse DNS (PTR) records on outbound sending IPs are now treated seriously by Microsoft's filters — a missing or misconfigured PTR that used to produce softening now produces hard filtering. Second, TLS on every outbound connection is enforced. Relay providers handle both by default; self-hosted systems need to verify their configuration.
Stream isolation without overbuilding
Even at modest volumes, transactional mail benefits from being isolated from marketing and cold traffic. Isolation does not require a dedicated IP or a full MTA — it requires that the transactional stream's reputation cannot be contaminated by a bad campaign in another stream.
The minimum responsible isolation posture
- Separate sending domain or subdomain. Transactional from
app.example.com; marketing fromnews.example.com; cold outreach from dedicated secondary domains (never from the main brand, as covered in cold email infrastructure without avoidable mistakes). - Separate relay credentials, or separate accounts entirely. Different credentials allow the provider to attribute complaint rates and bounces separately. Some providers map this onto per-account "sending streams" or "sub-accounts."
- Separate DKIM selectors. Even if both streams share the same root domain, their DKIM signatures should use different selectors so that reputation events are attributable.
- Separate suppression management. A complaint on a marketing send should not automatically suppress transactional traffic to the same recipient — they are opted in to one but not necessarily both.
- Separate monitoring dashboards. The transactional pool should surface its own delivery, bounce, and complaint metrics. Blended dashboards hide problems until they are already affecting users.
When isolation demands a dedicated IP
Shared sending pools work well for most transactional volumes because the underlying relay pools are enormous and individual senders do not dominate them. The move to a dedicated IP is worth considering when any of the following become true:
- Monthly volume passes 500k-1M and the reputation cost of being on a shared pool with unknown neighbors starts outweighing the operational simplicity.
- A specific inbox provider (typically Microsoft) shows inconsistent acceptance and the pattern points to a shared-pool issue rather than a sender-specific one.
- The organization has compliance requirements that demand traceability at the IP level (some financial and healthcare workloads).
- The sending program wants to participate in specific provider-reputation programs that require a dedicated IP (some ISPs offer reputation dashboards that only populate for non-shared senders).
Dedicated IPs are not a free upgrade. A new dedicated IP requires four to six weeks of warmup, during which volume is capped below production levels. Switching cold turkey from a shared pool to a fresh dedicated IP usually produces a temporary deliverability dip, not an immediate improvement.
Observability minimums for transactional mail
The observability requirements for transactional sending are narrower than for marketing, but the ones that matter need to be present. A transactional stream that cannot answer "did this user get their password reset?" in thirty seconds is not production-ready, regardless of protocol.
| Signal | Source | Retention | Use |
|---|---|---|---|
| Per-message send events | Application logs or relay API | 30+ days | Answer support tickets about specific user messages |
| SMTP response codes | Relay provider logs or MTA accounting | 14+ days | Diagnose acceptance and rejection patterns per ISP |
| Bounce classification | Relay provider or bounce webhook | 90+ days | Feed suppression; catch list hygiene problems |
| Daily volume per stream | Metrics pipeline | 12+ months | Capacity planning and anomaly detection |
| Authentication pass rates | DMARC aggregate reports | 30+ days rolling | Catch DKIM or SPF regressions early |
| Gmail Postmaster Tools | Google Postmaster Tools | Continuous | Spam rate, domain reputation, authentication status |
| Microsoft SNDS | Microsoft Smart Network Data Services | Continuous | IP reputation signal for dedicated Microsoft traffic |
Two observations about the list. First, most of it is free — Postmaster Tools, SNDS, DMARC reports — but only useful if someone looks at them. A once-a-week cadence is the minimum defensible posture. Second, application-side logging matters more than many teams realize. The relay knows what it accepted; the application knows what it intended to send. Without both sides, diagnosing "did user X get their receipt?" requires cross-referencing that nobody wants to do at 3 a.m.
Failure modes and how to handle them
Transactional email fails in predictable ways. The list below covers the ones that produce the most support tickets and the cleanest remediations.
- Transient SMTP rejection (4xx). The relay returns a temporary error. The application should retry with exponential backoff — not immediately, not after giving up. Typical schedule: 30 s, 2 min, 10 min, 30 min, stop after the fifth attempt and dead-letter the message.
- Hard bounce (5xx). The recipient address is invalid. Add to suppression immediately; do not retry. Surface to the application so the user knows their address failed.
- Deferred delivery. The recipient server accepted the message but is queueing it. Most resolve within minutes; tail latency can be hours. Worth a monitoring alert if more than 1% of transactional traffic is deferred beyond five minutes.
- DKIM signing failure. Usually a misconfigured selector or expired key. The message gets sent but fails DMARC at the recipient. Monitor DKIM pass rate in DMARC reports; alert below 98% on a rolling 24-hour window.
- Rate limit hit (429 on API, 421 on SMTP). The relay throttled the sender. Should not happen in normal transactional traffic; if it does, investigate upstream volume patterns before asking the provider for higher limits.
- Connection timeout. The application cannot reach the relay. Usually a network issue, occasionally a relay outage. Fail fast, dead-letter the message, alert the ops team; do not retry-storm.
- Content filter rejection. Rare for transactional mail, but happens when marketing-style language creeps into receipts. Rewrite the problematic content; keep transactional copy restrained and information-focused.
Signals that your relay is no longer enough
The right moment to move off a relay is almost never "we're growing fast, so let's upgrade infrastructure proactively." It is a specific set of operational friction points that compound. When three or more of the signals below show up in the same quarter, the migration conversation is worth opening.
- Support tickets about "did my email arrive?" are becoming a weekly occurrence. The relay's per-message visibility is not enough for your support team to answer quickly.
- Product managers are asking for per-tenant bounce and complaint data and your current setup cannot scope the answer below the whole account.
- Engineering keeps writing glue code to parse provider-specific bounce webhooks, deduplicate events, or enforce idempotency — the kind of code that an API would handle natively. This is often the signal that points toward moving the workload to an Email API designed for event-driven applications.
- Template changes require application deployments because the templates live in your code, and the marketing or product team wants to iterate faster than your release cycle.
- Compliance or audit requires per-message metadata — who triggered the send, which tenant, which flow — and SMTP headers are not a clean way to carry that.
- The reputation blast radius of a mistake is too wide. A bug in one product feature starts affecting unrelated transactional mail because they share the same sending identity.
- You are hitting per-account rate limits during normal operation. The relay can grant more headroom, but the underlying architecture (one account, many tenants) is the bottleneck.
None of these individually justifies a rewrite. Three of them, together, usually do — and the right next step is not always an Email API. Sometimes it is a dedicated MTA with proper stream separation, sometimes it is a multi-tenant relay architecture with per-tenant credentials, sometimes it is splitting the workload across two providers so that transactional stays on relay and the new capabilities land on an API without touching the existing pipeline.
Frequently asked questions
Can a shared SMTP relay handle our password resets if we spike to 100k in an hour?
Yes, in almost every case. Modern shared relay infrastructure is sized for exactly that shape of traffic. The limits you will hit first are usually application-side — your app's connection pool to the relay, your DNS resolver, your retry logic — not the relay's capacity. Test the spike scenario in staging before you need it in production.
Do we need a dedicated IP for transactional mail at 500k/month?
Probably not. At that volume a well-run shared pool from a reputable provider gives you access to a deeper reputation footprint than a single dedicated IP could build. The case for dedicated IPs strengthens above 1M/month or when a specific ISP shows unreliable acceptance patterns you can trace to shared-pool contamination.
How do we handle bounce-storming from a dirty list?
For transactional mail, the list is usually clean because it is built from active users. If a bounce rate above 3% shows up in transactional traffic, something deeper is wrong — a stale user database, an address-collection bug, or an account-takeover pattern. Pause, investigate the source, clean the list at the root cause. Do not just add to suppression.
Should transactional mail include an unsubscribe link?
Strictly transactional messages — receipts, password resets, 2FA codes — do not need unsubscribe links and should not include them. Messages that mix transactional content with promotional content do need unsubscribe mechanisms, but the right fix is to unmix the content, not to add an unsubscribe link to the receipt.
What about BIMI for transactional?
BIMI (Brand Indicators for Message Identification) requires a DMARC policy of p=quarantine or p=reject, a verified brand mark certificate, and the logo published at a specific URL. For transactional domains, the investment is often worthwhile because BIMI logos appear in the recipient's inbox next to the message and increase open rates and trust. For marketing domains, the math is similar. It is a nice-to-have that mature programs layer in once the rest of the authentication stack is clean.
Should we use the same domain for transactional and marketing mail?
Most mature programs use a main domain for transactional (example.com or app.example.com) and a dedicated subdomain for marketing (news.example.com). The subdomain isolates reputation while still benefiting from the parent domain's brand recognition. Running both streams from the same bare domain is workable but gives you one less reputation dial to turn if something goes wrong.
Closing perspective
There is a temptation in engineering to equate sophistication with value. A three-line SMTP call feels unserious next to a webhook-driven, idempotent, metadata-enriched API integration. In the specific context of transactional email, that instinct is mostly wrong. The three-line call is doing the right thing for the workload, and the API integration would be solving problems the product does not have.
What mature teams do instead is treat infrastructure choice as a consequence of product requirement, not as an aesthetic preference. If the product needs per-message events, idempotency, template versioning, or multi-tenant isolation, those requirements justify the API or the MTA. If the product needs to send a password reset and move on, the relay is the correct answer, and it will remain correct at volumes far higher than most teams expect.
The 2024-2025 rule shift — Gmail and Yahoo in February 2024, Microsoft in May 2025 — raised the authentication floor for everyone. It did not privilege one sending protocol over another. What it did was eliminate the "I'll get to authentication later" option. SPF, DKIM, DMARC, proper alignment, 2048-bit keys, PTR records, TLS on every connection. That baseline is now the price of admission, and once you pay it, the protocol choice is a design decision rather than a deliverability decision.
Relay is still enough for most transactional workloads. Knowing when it stops being enough — and what to reach for when it does — is the operational skill that separates programs that scale smoothly from programs that rebuild their email infrastructure every eighteen months.