Skip to content
OS Domains
Outbound stack · Pay-as-you-go API

A transactional email API that stays inside the EU. All of it.

An email API is a REST interface for sending application email — transactional and lifecycle — programmatically over HTTPS instead of SMTP. OS Domains runs an EU-resident email API under an Austrian entity, with official SDKs, idempotent sends, signed webhooks and dedicated IPs, for SaaS and product teams that need European data residency without giving up developer ergonomics.

Resend can send from Ireland but stores your account data and logs in the United States. Postmark has openly said no EU servers are coming. SendGrid runs out of San Francisco. We are a Austrian GmbH. Sub-processors all in the EU. No US parent, no Cloud Act exposure, no asterisk in the DPA. Drop in your existing SendGrid or Mailgun client and switch the endpoint — that part takes about ten minutes.

In short

  • REST over HTTPS with Bearer API-key auth, idempotency keys, and HMAC-signed webhooks for delivery, bounce and complaint events.
  • Free at €0, then €15 (Starter), €79 (Scale) and €299 (Business), up to custom Enterprise — billed in euros, with no per-message surprise.
  • Official SDKs for TypeScript/Node, Python, Go, Ruby, PHP and Java, generated from an OpenAPI spec so the client never drifts from the API.
  • EU-resident under an Austrian entity: message content, recipient data and event logs stay in the EU, clearing the Schrems II question for procurement.
  • Drop-in migration from SendGrid, Resend, Postmark or Mailgun in one to three working days.
The send path

What happens when your app calls the API?

Your application sends an HTTPS POST with a JSON body and a Bearer key; the API validates and deduplicates it against the idempotency key, signs the message with the sending domain's DKIM key, queues it on a dedicated IP, and delivers to the receiving provider. Delivery, bounce and complaint events return to your webhook. The diagram traces that path.

Your app HTTPS POST + JSON Bearer key idempotency EU email API validate and deduplicate DKIM signing dedicated IP and queue delivered Receiving MX Gmail and Microsoft 365 Inbox + webhook

A send is one authenticated POST with a JSON body; the API returns a message ID you can correlate with later webhook events:

$ curl https://api.osdomains.com/v1/emails \
     -H "Authorization: Bearer osd_live_…" \
     -H "Idempotency-Key: 9f1c-43a2-7b80" \
     -H "Content-Type: application/json" \
     -d '{"from":"[email protected]","to":"[email protected]","subject":"Welcome","html":"<p>Hello</p>"}'

  {
    "id": "msg_3kZ9Q12aQ4",
    "status": "queued"
  }
Why this exists

Most "EU email APIs" are a US service with a Frankfurt region. That is not the same thing.

A Polish fintech CTO told me a story last summer that I keep coming back to. They had been on SendGrid for three years. Everything humming along. Then their compliance audit landed and the lawyer asked one question — where, exactly, is customer personal data being processed. The answer they got from procurement: "EU mostly, but it depends on server load, sometimes United States." The lawyer closed his notebook and said this needs to change. They migrated in two days. Latency dropped from around 150ms to under 50ms. The bill stayed flat. The DPO finally slept.

That story is not unusual. It is the most common reason European companies move off US email APIs. The EU Court of Justice killed Privacy Shield in 2020 and the replacement framework (Data Privacy Framework) lives under permanent legal challenge. If your processor is US-headquartered, you are running on a transfer mechanism that could be invalidated again. DPOs increasingly treat "EU-only processing" as the cleanest path — the one that does not need a 40-page Transfer Impact Assessment to defend in front of a regulator.

The problem is that the email API market mostly does not offer that. Resend added Ireland sending in late 2024 but kept account data, API logs, metadata, and analytics in the United States. Postmark sits inside ActiveCampaign and has said publicly there are no plans for EU servers. SendGrid is a Twilio property — San Francisco, public company, fully exposed to the US Cloud Act regardless of which region you pick. Mailgun is technically owned by Sinch, a Austrian company, but Sinch has substantial US operations and the entity that holds your contract is usually the US one. None of these are bad products. They are American products with European deployments. That is a different product.

OS Domains GmbH sits at the other end. Vienna headquarters. Sub-processors EU only. The MTA is ours, the DNS is ours, the IP space is ours. There is no US parent that can be served a Cloud Act warrant. No "EU region" that quietly fails over to North Virginia under load. No US-staffed support desk reading your customer email subject lines while debugging tickets. Your DPA fits on three pages because there are no asterisks to qualify.

For most senders this distinction does not matter. If you are an early-stage startup sending a few thousand welcome emails a week, the American APIs are excellent and cheap and you should use them. We will tell you that if you ask. The point of this page is the population for whom the distinction does matter — regulated industries, public-sector suppliers, EU enterprise procurement, anyone whose lawyer is reading the DPA carefully. For that audience, we are the answer. For the others, we are a pretty good answer too, but the pitch is different.

There is also a less compliance-flavored reason this exists, and it is worth saying out loud. The American email API market has a venture-capital pricing problem. Resend is VC-backed, which means at some point it has to deliver returns — that is what investors signed up for. The October 2024 doubling of the 200k tier from $80 to $160 was the first signal. The next signal will not be smaller. Postmark sits inside ActiveCampaign, who has its own pricing pressures. Mailgun raised Flex from $1 to $2 per thousand in December 2025, a 100% jump. The pattern is well-known to anyone who has lived through a SaaS category maturing under VC ownership. We are bootstrap. We have published the same euro-denominated price list since launch. The 200k tier was €68 in early 2024 and is €68 today. That is not because we are wonderful. It is because our cost structure does not have an investor demanding 30% revenue growth quarter over quarter. For some buyers the EU sovereignty story is the lead reason to switch; for others it is the pricing story; for many it is both. Either is a fine reason.

Where the EU posture actually breaks

A vendor table where every line gets read by a procurement officer

I have spent enough hours in EU procurement calls to know exactly which questions land. The table below is the short version. Each line is a question you should ask any email API vendor before signing. The strong answers are rare. The weak answers are usually billed as strong.

Q1

Where is the legal entity that holds your contract registered?

Strong answer

EU member state, no US parent in the corporate hierarchy.

Common weak answer

"EU subsidiary of a US parent." The Cloud Act applies to the parent. The subsidiary inherits the exposure.

OS Domains

OS Domains GmbH, registered in Austria. No US parent, no group with US entities.

Q2

Where are account data, API logs, billing records, and support tickets stored?

Strong answer

Inside the EU at all times, no replication to US infrastructure.

Common weak answer

"Sending happens in EU but other systems run on AWS us-east-1." Common with Resend, common with anyone who built on Stripe + Zendesk + AWS without thinking carefully.

OS Domains

All of it — sending, accounts, logs, metadata, billing, support tickets — inside the EU. No exceptions.

Q3

Are any sub-processors US-based?

Strong answer

No. Full sub-processor list is EU only and published.

Common weak answer

A long list with one or two US names buried in section 4.b. Stripe, Twilio for SMS, Datadog for monitoring, Intercom for support — these add up.

OS Domains

Zero US sub-processors. Stripe replaced with EU PSP, monitoring on EU infrastructure, support tooling on EU SaaS. The full list is on the public sub-processor page.

Q4

What happens under a US Cloud Act request?

Strong answer

No US entity in the chain, no legal compulsion to comply. Requests fail at the jurisdictional door.

Common weak answer

"We will fight any request in court." Romantic, but the parent company complies first and tells you after.

OS Domains

No applicable jurisdiction. Cloud Act does not reach a Austrian GmbH with EU-only operations.

Q5

How does failover work under load? Does data leave the EU?

Strong answer

Failover stays inside the EU. Architecture documented.

Common weak answer

"Automatic failover to North Virginia under high load." This phrase, or anything close to it, is a billboard.

OS Domains

Multi-region within the EU (Vienna primary, Frankfurt and Strasbourg secondary). Hardware in our datacenter PoPs in London, Amsterdam, Dallas and Panama exists for sending egress only — never for account or log data.

Q6

Currency on the invoice and pricing predictability?

Strong answer

Euros, with a published price list that has been stable for 12+ months.

Common weak answer

USD pricing converted at month-of-billing rate, with VC-driven hikes (Resend doubled the 200k tier in October 2024).

OS Domains

EUR. Price list public up to 1.5M emails/month. Bootstrap company, no VC pressure. Last price change: never.

Q7

Data retention and deletion timelines after cancellation?

Strong answer

Documented retention policy aligned with GDPR Article 5(1)(e). Hard-delete confirmed, no zombie copies in backups beyond the documented window.

Common weak answer

"We retain for legitimate business purposes" with no defined window. Backups that quietly persist for years.

OS Domains

Account data deleted within 30 days of cancellation. Backup retention 90 days then cryptographic erasure. Email content (HTML bodies) deleted within 7 days of plan log retention expiring. Audit log of deletion available on request.

Q8

How long does a serious DPA review actually take?

Strong answer

Days, because there is nothing complicated to negotiate.

Common weak answer

Weeks, because every bullet has a footnote that requires legal review.

OS Domains

Most DPOs sign within 3 to 5 working days. The longest review we have had took 11 days because of vacation overlap on the customer side. The DPA is three pages.

Who buys this and why

Five buyer profiles where the EU-only architecture pays for itself

Not everyone needs a Schrems II clean stack. Below are the profiles where the math works. If you do not see yourself here, the most honest answer is to use Resend or Postmark and revisit when your compliance scope changes.

Profile 01

EU regulated industries

Banking, insurance, healthcare, fintech under DORA, anyone subject to NIS2 by 2026. Procurement insists on signed DPA, EU sub-processors, audit evidence. The migration cost is one engineering sprint. The alternative is explaining to your auditor why your transactional email vendor is in scope of the Cloud Act and what mitigations are in place. That conversation is more expensive than the migration.

Profile 02

Public sector suppliers

Selling to EU governments, EU institutions, ministries, hospitals, universities, anything that runs procurement under EU Directive 2014/24. Most public-sector RFPs in 2026 ask explicitly about US Cloud Act exposure of every sub-processor in the chain. Wrong answer drops your bid before evaluation. Right answer keeps you in the running. We are the right answer.

Profile 03

Privacy-first products

Privacy as a product feature, not a compliance footnote. Encrypted messaging, healthcare apps, anything where "your customers chose you because you respect data" is part of the marketing pitch. Sending password reset emails through a US infrastructure undermines that pitch. Your customers will not always notice. Your lawyer will. Your blog post about your email vendor change is genuine PR material.

Profile 04

European media and publishing

Newsroom subscription emails, paywall receipts, breaking-news alerts. Most newspapers have moved their main systems to EU sovereign cloud (OVH, Scaleway, Hetzner Cloud). The transactional email layer often lags behind because nobody on the editorial side flags it. When the audit catches up, you need a same-week migration path. We can do same-week.

Profile 05

Developer-centric SaaS hitting €1M+ ARR

You started on Resend or Postmark because the docs were great and you were in a hurry. Now you are doing real revenue, your enterprise customers are asking for your DPA, and the procurement check has flagged email. Migrating off your current API is one engineer-week. Onboarding a tenth enterprise customer who wants the question gone is worth more than that.

Profile 06

Crypto, Web3 and privacy-coin teams

Your customer base, almost by definition, prizes data minimization and jurisdictional clarity. Your transactional email leaking metadata to US servers is a contradiction with your product values that smart customers eventually notice. The migration is a half-day. The story you can then tell — "every byte of your interaction with us stays in the EU" — is the kind of thing a thoughtful customer puts in a tweet that earns you new customers. Worth doing for the brand alone, before the compliance argument.

What the API feels like

How quickly can a team integrate the email API?

Most teams send their first message within an afternoon: the API is conventional REST, JSON in and JSON out, idempotent, with the design choices that 2026 developers expect. Compliance-first does not mean developer-hostile. The page below covers what is in the box.

01

Authentication and request shape

API key per environment (production, staging, development). Bearer-token auth in the Authorization header. JSON request body, JSON response. UTF-8 throughout. Rate limits documented per plan, returned in headers (X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset). Idempotency keys supported on POST /emails — pass the same key within 24 hours, get the same response, no double-send. The retry-on-5xx contract is published; you can rely on it. Signed webhook payloads, HMAC-SHA256, signing key rotatable from the dashboard.

02

SDKs and language coverage

Official SDKs in TypeScript (Node + Bun + Deno), Python, Go, Ruby, PHP, Java. Type-safe across all of them. Generated from a single OpenAPI 3.1 spec, so the surface stays in sync. SDK installation is one line per language. Minimal dependencies — the TypeScript SDK has zero runtime dependencies except undici, which is in Node 18+ already. CLI tool for sending test emails, listing recent activity, validating templates without leaving the terminal. The CLI is useful enough that a few of our customers use it as their preferred dashboard.

03

Templates: code-first or dashboard-first

Two paths, no forced choice. If you like writing email templates as React components, the SDK ships a renderer compatible with React Email — drop your existing React Email project in, pass the rendered HTML to the API, done. If you prefer server-side templates with our DSL (Mustache-flavored, deliberately boring), you upload them via API or dashboard and reference them by template ID. We have an honest opinion: React Email is overrated for transactional flows where the same template renders identically every time and the emails are short. The DSL is faster and the rendering happens server-side, which means clients without Node can use it. But you do not have to take our opinion. Both paths work.

04

Webhooks and event observability

Eight event types: queued, sent, delivered, opened, clicked, bounced, complained, deferred. Webhook delivery has its own retry policy — exponential backoff up to 24 hours, with a manual replay button in the dashboard for the times you broke your endpoint and need to backfill. Logs retained 30 days on Starter, 90 days on Scale, 365 days on Business. Searchable by recipient, status, message ID, custom metadata you attached at send time. The dashboard shows a unified timeline per message so you can answer "what happened to that one email" in two clicks.

05

Sending performance

Median API response time under 80ms from EU origin, under 200ms from North America. Mail typically lands in the recipient inbox within 4 seconds of API acceptance for transactional traffic. Yes, that means password resets feel instant. We measure these numbers monthly and publish them on the status page along with provider-specific delivery latencies (Gmail vs Microsoft 365 vs Yahoo, etc.) — turning what most providers keep opaque into something you can plan capacity around.

06

Authentication setup that does not waste your morning

SPF, DKIM, DMARC. The dashboard generates exact DNS records to publish. Verification happens in real time — push the record, hit Verify, you see green or red within 30 seconds. DKIM keys default to 2048-bit. SPF is auto-flattened where it makes sense to keep you under the 10-lookup limit. DMARC starts at p=none with reports flowing to a default address you can override. If you want our managed-DMARC team to handle enforcement, that is a separate service (the Managed DMARC product) and the buyout is one click.

07

Sandbox, testing, and local development

A test API key sends to a sandbox endpoint that accepts the request, returns a realistic response, and never delivers to a real recipient. The sandbox supports forced failure modes — you can simulate a hard bounce, a soft bounce, a complaint, a deferred message, an authentication failure — by passing specific test addresses. This is the difference between testing your error handling honestly versus hoping your retry logic works. We also run a public preview environment at preview.osdomains.com where you can hit the API with a free trial key without signing up — useful for evaluating the response shape from a Postman collection before the engineering team commits.

08

Multi-tenancy and sub-account isolation

If your product sends mail on behalf of your own customers (white-labeled SaaS, agency platforms, multi-brand enterprises), the sub-account API lets you create isolated tenants with their own sending domains, their own reputation, their own log retention scope. Your customers never see our brand. Your billing is consolidated at your top-level account. Sub-accounts are available from Scale tier; Enterprise gets unlimited sub-accounts with custom contractual structures (sub-DPAs, white-label support escalation, custom branding on dashboard). Common pattern for B2B SaaS at €5M+ ARR who serve regulated customers.

What runs under the hood

The stack is ours, not a wrapper around someone else's SES account

Most "European email APIs" are pretty thin layers over Amazon SES eu-west-1. That is fine for some use cases. For Schrems II it is not — SES is AWS, AWS is US, the workaround does not survive a serious DPA review. Our stack is something different. Worth knowing what.

L1

MTA layer

KumoMTA in production for all transactional traffic, with PowerMTA available for the small minority of customers whose procurement still requires a commercial MTA. Both run on bare metal in our own racks. Per-tenant queue isolation, per-recipient throttling tuned per major mailbox provider, retry policy with exponential backoff. We have been operating MTAs at production scale since 2008. The team that fixes a queue at 3am is the same team that designed the queue.

L2

Dedicated IP layer

Multiple IPv4 allocations with dual-stack IPv6, assigned as clean dedicated IPs per customer. Shared sending pools have isolated reputation tiers — paying senders never share IPs with new free-tier accounts. Dedicated IPs available as add-on or by default at Business tier. Reputation monitored continuously across Postmaster Tools, SNDS and Sender Score.

L3

API and storage layer

Public API runs on EU-hosted infrastructure (primarily Vienna, with Frankfurt and Strasbourg as failover regions). Storage is PostgreSQL with point-in-time recovery, on EU-only infrastructure. Object storage for email content uses Backblaze B2 EU region — the only US-headquartered company in our chain, and that data is end-to-end encrypted before it leaves our application servers, with keys held only on our side. So even there the US vendor cannot read what they store. The full sub-processor list is public and updated on every change.

L4

Observability layer

Self-hosted observability stack. Logs in our own ELK cluster, metrics in our own Prometheus and Grafana, tracing in our own Jaeger. No Datadog, no New Relic, no Sentry SaaS. The reason is exactly the one you would guess — we tell customers their data does not leave the EU and we mean it down to the monitoring layer.

L5

Operations and on-call layer

Engineers on call are based in Europe. Vienna is our largest pod, with engineers in Lisbon and Tallinn covering off-hours coverage. Nobody in our support chain is offshored to a low-cost contractor. The team that wrote KumoMTA configurations is the team that responds when your transactional volume hits an anomaly at 2 AM. We use this in customer-facing copy because it differentiates us from the structurally cheaper providers — but it is also operationally why our incident MTTR has been under 12 minutes for the last 18 months. You cannot get there with a 3-tier support structure and overseas first-line.

How teams switch

How long does migrating from SendGrid or Resend take?

A typical migration from SendGrid, Resend, Postmark or Mailgun takes one to three working days. Migration off another email API is rarely the engineering project people imagine: the sending code is a thin layer on top of an SDK, and the DNS work is a pre-coordinated update. The actual blocker is rarely technical — it is internal coordination. Below is the realistic playbook for a typical mid-market migration.

  1. Day 0

    Sign DPA, provision account

    Account created, DPA signed, sub-processor list reviewed by your DPO. Your team gets API keys in dev, staging and production environments. No code change yet. We pre-configure your domains in our system based on a CSV you send us.

  2. Day 1

    Authentication setup, parallel run

    You publish SPF, DKIM and DMARC records for our infrastructure alongside your existing provider — DMARC at p=none ensures no enforcement breaks while both run in parallel. We verify the records resolve correctly within an hour. Your sending volume is still going through the old provider; ours is just authenticated and waiting.

  3. Day 1 to 2

    Code switch, dark launch

    Your team replaces the SDK call. For most senders this is one file change — replace `sendgrid.send()` with our equivalent — but if you are using a custom abstraction it might be a wrapper update. Deploy to staging, run your existing email integration tests against our endpoint. Switch a small fraction of production traffic over (we recommend 5% first), watch the metrics for 24 hours.

  4. Day 2 to 3

    Ramp to 100%, sunset old provider

    If the 5% canary is clean, you can move to 100% the same day or stage it through 25, 50, 100. Most senders ramp in one business day; cautious ones spread it over a week. The old provider stays on standby for 14 days as a rollback option, then you cancel that contract and stop paying twice.

  5. Week 2 onward

    Steady state

    Quarterly check-in with the engineering team on our side. Monthly invoice in EUR. Quiet running. The migration thread on Slack archives itself.

Five plans, fixed pricing in euros

How much does the email API cost?

Plans start free at €0, then €15 (Starter), €79 (Scale) and €299 (Business), with custom Enterprise above that. The table below is the full pricing — there is no hidden tier behind a "contact sales" button, and Enterprise is custom only because the volume varies, while the Business plan covers most senders up to 1.5 million per month. We are bootstrap. No VC. The 200k tier was €68 a year ago and is €68 today.

Free

For development, side projects, and verifying we are the right fit before you commit a card.

€0 / month

Account active in under a minute

  • 3,000 emails per month
  • One sending domain
  • 24-hour log retention
  • 1 team member
  • Email support, best-effort response
  • EU sub-processors, signed DPA available
Start free

Starter

For early-stage SaaS sending real but modest volume.

€15 / month

Plan active immediately

  • 50,000 emails per month
  • Unlimited sending domains
  • 7-day log retention
  • Up to 3 team members
  • Webhook events, idempotency keys
  • CLI tool, all SDKs
  • Email support, 24h business response
Start with Starter
Sweet spot

Scale

The sweet spot. Mid-size SaaS, growing newsletters, regulated workloads needing headroom.

€79 / month

Plan active immediately

  • 500,000 emails per month
  • Everything in Starter
  • 30-day log retention
  • Up to 10 team members
  • Dedicated IP add-on available (€89/mo)
  • Sub-account support for multi-tenant apps
  • Email and chat support, 8h business response SLA
Start with Scale

Business

Volume sender, multi-product SaaS, regulated industry with audit obligations.

€299 / month

Plan active immediately

  • 1,500,000 emails per month
  • Everything in Scale
  • 365-day log retention for audit
  • Unlimited team members
  • Dedicated IP included (one)
  • SOC 2 evidence pack
  • Priority email and chat, 4h business response SLA
  • Quarterly review with engineering on our side
Start with Business

Enterprise

High volume, dedicated infrastructure, signed SLA.

Custom annual

Onboarding in 5 to 10 business days

  • 4M+ emails per month, no upper bound
  • Everything in Business
  • Multiple dedicated IPs in your own /29 or /28 block
  • Custom log retention up to 7 years
  • Signed SLA with service credits
  • Named technical account manager
  • Slack Connect direct line
  • 1-hour incident response SLA, 24/7
Talk to sales

Above-quota volume is billed at €0.40 per 1,000 emails on Starter and Scale, €0.30 per 1,000 on Business. Yes, you can hit the cap and keep sending. No, we do not throw a 429 on the 50,001st email of the month. Annual commitments save 15%. Bring-your-own-domain costs nothing. Inbound email parsing is on the roadmap for Q3 2026 and not yet billable.

Real questions from procurement and engineering

What buyers ask before they sign

How is this actually different from SendGrid, Mailgun, Resend or Postmark?

Three things matter. One: where the legal entity is registered. SendGrid is Twilio (San Francisco). Mailgun is Sinch (Austria, but the contracting entity for most enterprise deals is the US one and Sinch has US operations exposed to the Cloud Act). Resend is a US Delaware C-Corp. Postmark sits inside ActiveCampaign, US. We are a Austrian GmbH with no US parent. Two: where data actually lives. SendGrid offers an EU region but other systems run on US AWS. Resend sends from Ireland but stores accounts and logs in the US. Mailgun has US sub-processors. We are EU-only across the board. Three: pricing predictability. Resend doubled the 200k tier in October 2024. Mailgun raised Flex pricing from $1 to $2 per 1k in December 2025. Our prices are in euros, published, and have not moved.

Can we run a Schrems II Transfer Impact Assessment with you as the processor?

Yes, and the assessment ends quickly because there is no transfer to assess. Personal data stays inside the EU at every step. We have a TIA template you can use as the starting point — it documents the legal basis, the entity registration, the sub-processor chain, the cryptographic protections on object storage, and the lack of applicable third-country jurisdiction. Your DPO will still want to review it. The review is short.

What about the Backblaze B2 dependency — is that a problem?

Backblaze B2 EU region is the one US-headquartered vendor in our chain, and it stores email content (HTML bodies, attachments) that we encrypt on our application servers before upload. The encryption keys live in our European infrastructure and never touch Backblaze. From the Cloud Act perspective, Backblaze can be served a warrant for the encrypted blobs they hold, but they cannot decrypt them — we hold the keys. We could move this to a European object storage vendor and we are evaluating Scaleway and OVHcloud Object Storage for 2027. Right now Backblaze is the most reliable EU-region S3-compatible storage at the price point we need, and the encryption-at-rest model is review-clean. If your DPO requires zero-US-vendor in the chain we can quote a custom Enterprise plan that uses Scaleway from day one.

How does deliverability compare with the big US providers?

Honest answer: roughly equivalent for clean senders, with a small edge for us in EU receivers (Microsoft 365 EU, Free.fr, GMX, Strato, ProtonMail) because we have stronger peering and longer-standing reputation with European receivers. SendGrid and Mailgun have edges with US consumer Gmail and Microsoft consumer Outlook for high-volume marketing because their IP pools have decade-long reputation footprints. For pure transactional traffic — password resets, receipts, security codes — the difference is in the noise. For B2B transactional we are typically same-or-better. We publish median delivery latency per major receiver on the public status page; verify yourself before signing.

Do you support inbound email (parsing replies, processing tickets)?

Not yet. Inbound is on the roadmap for Q3 2026. We chose to launch outbound-only and do it well rather than ship a half-finished inbound product. If inbound is a hard requirement today, we can integrate with Mailgun Inbound (which has a clean EU region) as an interim, but you will be paying two vendors. For most senders the answer is to wait — pure outbound transactional is what 80% of the market needs.

What is your stance on AI-generated content via API?

Customers are free to use our API to send emails written by any tool, AI or otherwise. We do not police content beyond the standard AUP — phishing, malware, list-bombing, scams. What we do care about is that AI-generated transactional sends sometimes hit volume patterns that look like spam to receiver-side filters: 50,000 password resets in the same minute, identical content across thousands of recipients. We have a rate-shaping API that helps you smooth those bursts. The general advice is: if you are using AI to scale up sends, talk to us before launch so we can tune the throttle profile.

How quickly can we be in production?

API key in under a minute. First successful test send within 5 to 10 minutes for someone familiar with REST APIs. Domain authentication (SPF, DKIM, DMARC) in 30 minutes if you control your DNS, longer if you have to go through a change-management process. For full production migration off another provider — including dark launch and ramp — typical timeline is one to three working days for a mid-market sender, around two weeks for a complex multi-tenant SaaS with sub-account isolation requirements.

Do you offer dedicated IPs, and how does the warming work?

Yes. Available as add-on at Scale tier (€89/mo per IP) and included on Business and Enterprise. Warming is managed automatically by our system — we ramp volume on a new IP through a published curve over 14 to 28 days, monitor reputation across Postmaster Tools and SNDS, and pause volume increases if reputation softens. You can see the warming progress in the dashboard. If you have a fast-launch need (no time to warm), we can allocate a pre-warmed IP from our reserve pool at a small premium — talk to us during onboarding.

How does pricing work above the plan cap?

Plans are not hard caps. If you are on Starter (€15/mo, 50k included) and you send 60k in a month, you pay €15 plus 10,000 × €0.40/1000 = €4 in overage. Your sends do not stop at 50,001. The dashboard shows projected month-end overage in real time so you can decide whether to upgrade tier or just pay the overage. Upgrading mid-month is prorated and takes effect immediately.

Do you have webhooks for inbound delivery events, and how reliable are they?

Yes. Eight event types as listed on the developer experience section above. Delivery is at-least-once with HMAC signing, retry with exponential backoff up to 24 hours, manual replay from the dashboard. The 99.9% delivery SLA is published. We had one outage in 2025 that affected webhook delivery for 47 minutes; the post-mortem is on the public status page and the affected customers received SLA credits without filing a claim.

Is there a SOC 2 report?

Not currently held. We operate the underlying controls and provide pre-certification control evidence (SOC 2 criteria) under NDA on Scale and above. If you need it as part of evaluation, ask during the trial — we will send the current control-evidence bundle.

What happens if we want to move off you later?

You export. We have an export endpoint that returns all your message logs (with content where retained per your plan), template definitions, webhook configurations, and DNS recommendations to repoint at any other provider. Export is available 24/7 and we do not charge for it. We have lost two customers to Resend in the last 18 months; both used the export endpoint and the migration went fine. We tell you that not because we like losing customers but because the answer is part of how procurement evaluates lock-in risk. The honest answer here is: low.

How do you handle abuse and what protects us if another customer of yours misbehaves?

Three layers. First, every new account passes through automated AUP screening before sends are activated — domain age, ownership signals, list provenance disclosure. Second, all sends pass through real-time content scoring (spam patterns, malware signatures, phishing keywords) before delivery. Third, IP reputation is tiered — paying senders never share IPs with new free-tier accounts. If a problematic customer slips through, we suspend within minutes of detection. Your reputation is on its own dedicated IP from the Business tier upward. Even on shared pools, the tiering means a new free-tier account on probation cannot affect your dedicated-IP delivery. The blast radius is structural.

Annual versus monthly billing — what is the actual difference?

Monthly is the default. No commitment, cancel any time, billed in arrears. Annual saves 15% on the listed plan price and includes priority access to engineering office hours (a recurring quarterly call where you can ask architecture questions, deliverability questions, anything). Annual is paid up front in EUR. We do not require annual for any tier. Most Starter and Scale customers stay monthly; most Business and Enterprise customers go annual because their procurement prefers it. Either is fine. We do not penalize monthly with hidden caveats.

Can we host the API in our own datacenter or on-premise?

No. The API is multi-tenant SaaS. We have looked at on-prem deployment for two enterprise prospects and concluded it does not work for our model — we cannot deliver the deliverability guarantees if we do not control the IP reputation, and IP reputation requires shared learning across our full sender base. If on-prem is a hard requirement, you probably need to operate your own MTA stack (KumoMTA self-hosted, for example). We can sell you the dedicated infrastructure to do that — see our Email sending servers product. The API is for senders who want managed delivery, not full control of every layer.

Does the API keep all data inside the EU?

Yes. Message content, recipient data, and event logs stay on EU infrastructure under an Austrian legal entity, with no US parent in the processing chain, so the email leg does not reopen the Schrems II transfer question for your subprocessor review.

Three ways to start

You can start free, talk to us first, or read the docs

Free plan covers 3,000 emails a month with no card required — enough to integrate, evaluate against your existing provider, and run a real comparison. If you want to talk to engineering before signing up, we will set up a 30-minute call. Or if you just want to read the API docs end-to-end before talking to anyone, that is fine too.

Phone +43 1 205 11 80 Mon–Fri · 9–18 CET
Email [email protected] Avg response 4h business
Office Fleischmarkt 1, 1010 Wien By appointment