55 questions, organized by what you are trying to figure out.
We collected the questions we get the most from prospects, customers, journalists, and auditors over the past 24 months. They are grouped into 8 categories, each with its own search-friendly URL anchor. If you cannot find what you are looking for, email [email protected] and we will add it to the list.
About OS Domains
Who we are, where we operate, why this company exists.
01 What does OS Domains actually do?
We operate email infrastructure for companies that send a lot of email — typically between 100,000 and 50 million messages per month. We provide the MTA cluster (PowerMTA and KumoMTA), dedicated IPs, deliverability monitoring, DMARC/BIMI processing, and the deliverability operations team behind it. We are not a SaaS marketing tool — we are the layer between your application and the mailbox providers (Gmail, Outlook, Yahoo, etc.).
02 How is OS Domains different from AWS SES, SendGrid, or Mailgun?
AWS SES is a raw API transport with no included IPs, no included support, and no deliverability operations. SendGrid and Mailgun are SaaS marketing platforms with email transport bundled in. We are different in three ways: (1) you get a fully operated stack — PowerMTA/KumoMTA, IPs, warm-up, monitoring — without building it yourself, (2) the team running your infrastructure is the same team that picks up the phone when something breaks, no offshore tier-1 support, and (3) we are EU-based, EU-incorporated, EU-routed — relevant if Schrems II compliance matters to you. The TCO comparison on our pricing page lays out the actual cost differences at typical send volumes.
03 How long has the company been operating?
OS Domains GmbH has been operating since 2008 from Vienna, Austria. We started as a domain registrar and DNS provider, added email hosting in 2012, and pivoted to managed MTA infrastructure in 2018 when PowerMTA became too operationally complex for most senders to run themselves. We have been profitable since 2014, self-funded throughout, with no outside investment.
04 How many people work there?
A small team across engineering, deliverability operations, customer success, sales, and finance/legal. Headcount has grown linearly with revenue — we are not in a hyper-growth mode and have no plans to be. Most of the team is in Vienna; we have a small remote presence in Berlin, Lisbon, and São Paulo for time-zone coverage on customer support.
05 Are you VC-backed?
No. The company has been self-funded since founding. No venture capital, no private equity, no debt other than ordinary commercial credit. This is intentional and is why we make some decisions differently from VC-backed competitors: no growth-at-all-costs sales tactics, no quarterly board pressure to expand into adjacent products that confuse the offering, and a long-term horizon on customer relationships.
06 Where are your offices and where is your infrastructure?
Office: Fleischmarkt 1, 1010 Wien, Austria. Infrastructure: 7 European PoPs (Vienna, Frankfurt, Amsterdam, London, Strasbourg) plus Dallas and Panama for transatlantic and LATAM reach. We own the bare-metal in our EU PoPs and lease in the US/LATAM PoPs. Customer data, customer credentials, and processing happen in EU PoPs by default; Enterprise customers can pin to a single EU country.
07 Do you serve customers outside Europe?
Yes. We have customers across many countries and several continents, with the majority of revenue from the EU. Pricing, support, and contracts are in EUR by default but USD and GBP are available for Performance and Enterprise tiers.
Pricing and billing
How we charge, what is included, what is not.
01 What is the cheapest plan?
Starter at €299/month: 100,000 messages, 5 dedicated IPs, one EU PoP of your choice, all core features (MTA, API, webhooks, DMARC, BIMI, portal, status API). Above that, plans scale to Standard (€599/500K msg/12 IPs), Performance (€1,199/2M msg/30 IPs), and Enterprise (from €2,499). Full breakdown on the pricing page.
02 What does message overage cost?
€0.60 per additional 1,000 messages, billed at the end of each calendar month against actual send count. There are no rate-limit cliffs — your messages keep flowing, you just see the extra usage on the invoice. If you systematically exceed your tier, we proactively recommend moving you up because it is cheaper than paying overage.
03 How much do additional dedicated IPs cost?
€18 per IP per month, beyond what your plan includes. We configure reverse DNS to your subdomain and add the IP to your account within 24 hours of order. Each plan has a base allocation: Starter 5, Standard 12, Performance 30, Enterprise custom.
04 Do you charge setup or onboarding fees?
No setup fees on Starter, Standard, or Performance. Migration from another provider is a separately priced one-time service starting at €1,490. Enterprise sometimes includes onboarding fees disclosed upfront when complexity warrants (BYOIP, ASN delegation, on-prem hybrid).
05 Is the contract month-to-month or annual?
Month-to-month by default. Cancel any time before the renewal date with no penalty; data export remains available for 90 days after cancellation. Annual prepayment is optional and discounts the monthly rate by 10% on Starter and Standard, 12% on Performance. We do not auto-lock customers into multi-year contracts.
06 Are there discounts for non-profits or startups?
Yes. Registered non-profits get 25% off any plan with documentation. Pre-Series-A startups (companies under 24 months old with no institutional funding above €500K) get 30% off the Starter plan for the first 12 months. Annual prepayment discounts stack with neither — pick the best one.
07 What payment methods do you accept?
SEPA direct debit, SEPA wire transfer, Visa/Mastercard via Stripe, and (Enterprise only) NET-30 invoice with PO. No crypto, no prepaid cards, no money orders. We bill on the 1st of each month for the prior month's usage.
Technical setup
How to integrate, configure, and operate.
01 How long does provisioning take?
Starter and Standard: 48–72 hours from order to first send. The bottleneck is DNS propagation (your SPF, DKIM, and DMARC records need to be live) and our internal IP allocation/rDNS step. Performance: 5 business days because we customize VirtualMTAs per customer. Enterprise: 14 business days typical, longer if BYOIP or ASN delegation is involved.
02 PowerMTA or KumoMTA — which do you use?
Both, depending on the customer profile. PowerMTA for established high-volume senders who want maximum compatibility with existing tooling and per-domain VirtualMTAs. KumoMTA for new deployments where we have more freedom on architecture and want better observability/Prometheus integration. We make the recommendation based on your traffic pattern during onboarding; you do not have to know the difference.
03 Do you support PowerMTA on customer-owned servers?
Yes. If you already have bare-metal you want us to manage, we can install, license, and operate PowerMTA on it under our Migration service. We become responsible for ongoing tuning, monitoring, and incident response. Pricing is custom based on the number of nodes and the configuration complexity.
04 What ports and protocols do you support?
SMTP on 587 (STARTTLS), 465 (TLS), and 2525 (legacy STARTTLS). REST API over HTTPS on port 443 with HTTP/2. Webhooks delivered over HTTPS to your endpoint. IMAP and POP3 are not supported — we are an outbound infrastructure, not a mailbox provider. TLS 1.3 mandatory, TLS 1.2 grandfathered for legacy clients, TLS 1.0/1.1 rejected.
05 Can I configure SPF, DKIM, DMARC, and BIMI through your portal?
Yes. The customer portal generates the exact DNS records you need to publish for your sending domain, including DKIM keys (we rotate every 90 days), SPF includes, DMARC policy progression (none → quarantine → reject), and BIMI with VMC chain validation. Or you can publish your own and we will validate alignment.
06 How do I send my first test message?
Three ways depending on what you have: (1) the customer portal has a "Send test" button that sends to any address, (2) curl the REST API with your API key, (3) SMTP from your existing application with the credentials in the portal. The Quick Start in our docs covers all three with copy-pastable examples.
07 What is the maximum throughput from a single PoP?
Roughly 5 million messages per hour per PoP on Performance and Enterprise tiers, limited by mailbox-provider rate limits rather than our infrastructure. Starter and Standard plans cap at 50K/hour and 250K/hour respectively, which is enforced to protect your IP reputation during the early ramp.
08 Do you support webhooks for message events?
Yes. We push events (delivered, bounced, deferred, complained, opened, clicked) to your endpoint within 1 second of the event. Signed with HMAC-SHA256 (your secret in the portal). Retried with exponential backoff up to 30 minutes if your endpoint returns 5xx. 7-day buffer for replay if you need to backfill.
Deliverability and reputation
Inbox placement, blacklists, warm-up, and reputation management.
01 How long does IP warm-up take?
Typically 4–8 weeks for new IPs to reach full sending volume. The warm-up scheduler ramps based on real engagement data from your domain: high-engagement traffic (low bounce, low complaint, high open rate) ramps faster than low-engagement bulk. Cold email lists warm slower than transactional or opt-in newsletter traffic. We do not promise to compress this — providers like Gmail will throttle aggressive ramps regardless of who is doing the warm-up.
02 What happens if my IP gets blacklisted?
We monitor 18 major blacklists in real time. If a listing happens, we get paged within 5 minutes, investigate the cause (usually content-related, occasionally a feedback-loop spike from a specific list segment), and start delisting paperwork. Hard listings (Spamhaus SBL, CSS) typically take 24-72 hours to clear. We do not charge extra for delisting unless it is a repeat offense; the Reputation Recovery service is for major incidents requiring a 30-day plan.
03 How do you handle bounces and complaints?
Bounces are classified automatically using our parser (hard, soft, spam-trap, unknown user, mailbox full, content rejected, etc.). Hard bounces auto-suppress for 90 days; soft bounces retry with exponential backoff. Complaints from feedback loops (FBL) are processed within 60 seconds — once a recipient marks your message as spam, that address is suppressed for your account globally. You can manually unsuppress if you have a legitimate reason; we log every unsuppress event.
04 Do you integrate with Google Postmaster Tools and Microsoft SNDS?
Yes, included on Standard tier and up. We enroll your domains and IPs into both tools, then surface the data in our customer portal alongside our own internal metrics. You get one dashboard with Gmail Spam Rate, Microsoft Junk Mail Rate, IP/domain reputation buckets, and feedback loops aligned to the same timeline.
05 Can I use my own IPs (BYOIP)?
Yes, on Performance and Enterprise tiers. You bring an IPv4 /24 (or larger), we announce it from our network, configure rDNS, and operate it like the rest of your fleet. Useful for customers migrating with established IP reputation they do not want to abandon. The setup takes 5-10 business days depending on your existing routing.
06 What is your typical inbox placement rate?
For transactional and opt-in marketing traffic with proper authentication (SPF, DKIM, DMARC aligned), our customers see 96-99% inbox placement at Gmail and Outlook averaged across 7-day windows. For cold outreach and unsolicited mail, placement depends entirely on list quality and content — we do not promise inbox numbers there because no one honest can.
07 Do you guarantee inbox placement?
No. Anyone who guarantees inbox placement is either lying or going to deliver such bad placement that the guarantee is meaningless. Mailbox providers make the placement decision based on hundreds of signals we do not fully control. What we do guarantee: SLA-level uptime, reputation monitoring, fast bounce handling, fast blacklist response, and operational transparency when something goes wrong.
Compliance and legal
GDPR, Schrems II, DPA, data residency, regulated industries.
01 Are you GDPR compliant?
Yes. We are EU-incorporated (Austria), EU-routed, EU-operated, with EU-based engineering and customer-support teams. Our standard Data Processing Agreement (DPA) is on the DPA page; we sign customer-specific DPAs for Enterprise customers. Our DPO is reachable at [email protected] and responds within 1 business day. We maintain a record of processing activities (RoPA) and have completed multiple DPIA exercises with customers in regulated industries.
02 How do you handle Schrems II and cross-border data transfers?
By default, your data stays in the EU PoPs you have selected and does not transfer outside the EEA. If you opt into our US (Dallas) or LATAM (Panama) PoPs, we apply SCC (Standard Contractual Clauses) with appropriate Article 46 safeguards for the transfer. Enterprise customers can pin data to a single EU country (Austria, Germany, France, Netherlands) and prohibit any non-EEA processing.
03 Do you have ISO 27001, SOC 2, or other certifications?
ISO 27001 and SOC 2: not currently held. We operate the underlying information-security controls and provide pre-certification control evidence — control mappings, configuration, and audit logs — under NDA for serious customers. GDPR compliance is ongoing rather than a certification. We do not pursue PCI-DSS certification because we do not process payment data — Stripe does that for us.
04 Can you sign a custom DPA with our specific clauses?
Yes, on Performance and Enterprise tiers. Our DPO and legal team review your redlines, push back where we have to (we cannot accept unlimited liability or audit clauses that conflict with EU data protection law), and typically reach signature in 2-3 rounds over 2-4 weeks. €790 one-time review fee for Starter/Standard tier customers; included for Performance and Enterprise.
05 How long do you retain customer data and logs?
Sending logs: 90 days by default, up to 13 months on the Extended Log Retention add-on (€49/month). Account data: retained while you are a customer plus 90 days after cancellation for the export grace period, then deleted. DMARC reports: 12 months. Webhook delivery logs: 30 days. We publish exact retention windows in the DPA.
06 Do you support customers in regulated industries (banking, healthcare, government)?
Yes, on Enterprise tier. Common configurations: single-country data residency, custom DPA addenda, NDA before pricing discussion, on-premise hybrid deployment (some workloads in our PoPs, others on customer-owned bare metal). We have customers in EU banking, healthcare (HIPAA-style requirements via custom contractual terms), public-sector procurement, and EU regulated utilities.
07 What happens to my data if you go out of business?
Customer data is escrowed quarterly with a Vienna-based escrow agent. In the event of a wind-down, the escrow releases to customers within 30 days. You can also export your full account data (logs, suppression lists, configurations, message metadata) at any time via the portal or API. We do not lock customer data behind proprietary formats.
Migration from another provider
Moving from AWS SES, SendGrid, Mailgun, SparkPost, Postmark, or self-hosted.
01 How long does migration take?
Typical migration: 4-6 weeks end-to-end. Phase 1 (week 1): assessment of your current setup, list quality, authentication state. Phase 2 (weeks 2-3): IP warm-up on new infrastructure while you continue sending on the old. Phase 3 (week 4-6): graduated traffic shift (10% → 50% → 100%) with rollback path at each step. We do not flip the cutover in one day for any customer above 500K messages per month — that is how reputations get torched.
02 Will my existing IP reputation transfer?
Only if you BYOIP the IPs themselves. Otherwise, you are starting fresh on our IPs, which means a 4-8 week warm-up period. We can compress that for transactional traffic with strong engagement (sub-2% bounce, sub-0.1% complaint) — but cold email or low-engagement bulk has to warm at normal pace.
03 What does the Migration service include?
A dedicated migration engineer for 4-6 weeks, list-quality audit before cutover, authentication audit (SPF, DKIM, DMARC alignment), IP warm-up scheduler tuned to your engagement data, graduated rollout with rollback gates, postmaster-tools enrollment, and a written migration runbook handed to your ops team. Starts at €1,490 for Starter-class migrations, scales to ~€8,000 for Enterprise.
04 Can I run on both providers in parallel during cutover?
Yes, and we recommend it. Most customers run 90/10 → 50/50 → 10/90 → 0/100 over 2-3 weeks. Your application sends some percentage to the old provider, some to us, both routes warm and observe, and you cut over when both providers are at parity on key metrics (delivery rate, p99 inbox time). The orchestration is typically at your application level using a feature flag.
05 Do you help with DMARC enforcement during migration?
Yes. A common migration outcome is moving from p=none to p=quarantine to p=reject on DMARC, because the migration prep already required publishing aligned SPF and DKIM. We provide the rollout playbook and monitor the aggregate reports during each enforcement step so you do not start blocking legitimate mail.
06 What if migration fails halfway?
You stay on your old provider, we refund the unused portion of the migration fee, and we hand you a written debrief on why it did not work. This has happened twice in 30+ migrations — once because the customer's list quality was unfixable, once because a competitor's contract had an exit fee that made the math wrong. We will tell you upfront if we think migration is a bad idea.
Security and authentication
How we secure the platform and your data.
01 How do you authenticate API access?
Two methods: API keys (per-environment, scoped to specific operations) and OAuth2 (for human-attended workflows like the portal). API keys are rotated by you on demand and we recommend rotation every 180 days. Webhook deliveries are signed with HMAC-SHA256 — your verification key is in the portal.
02 Do you support SAML SSO?
Yes, on Performance and Enterprise tiers. We have tested integrations with Okta, Microsoft Entra ID (Azure AD), Google Workspace, and JumpCloud. Setup is 1-2 hours with your IT team. SCIM provisioning is on the roadmap for Q3 2026.
03 What is your encryption posture?
TLS 1.3 mandatory for inbound API traffic. TLS 1.2 grandfathered for legacy SMTP clients (some on-premise applications cannot upgrade), TLS 1.0/1.1 rejected. Data at rest: AES-256 on all storage (databases, log archives, backups). Customer credentials: bcrypt with high cost factor, never stored in plaintext or recoverable. API keys: hashed with HMAC-SHA256 server-side; you cannot retrieve an API key after creation, only revoke and rotate.
04 How do you handle internal access to customer data?
Least-privilege by role. Customer-support agents can see message metadata (timestamps, addresses, status, error codes) but not message content. Engineering has access to message content only during active incident investigation, with the access logged and visible to you in the audit log. We log every internal data access, retain those logs for 12 months, and review quarterly.
05 Do you have a bug bounty program?
Not a paid bounty — we are a small operating team, not a hyperscaler. Responsible disclosure to [email protected] is acknowledged within 24 hours, triaged within 5 business days, and credited in the security changelog. Serious findings are rewarded with merchandise, a public credit, and a thank-you letter. PGP key for encrypted reports at /.well-known/security.txt.
06 How do you handle backups?
Customer configurations, suppression lists, and account data are backed up every 6 hours, encrypted with AES-256, and replicated to a second EU PoP. Backup retention is 35 days. Message logs are not backed up (90-day retention is the durability tier). We test restore procedures quarterly.
Support and operations
How we run the platform day-to-day.
01 What are your support hours?
Email support: Monday through Friday, 9:00-18:00 CET, with 24h response on Starter and 8h on Standard. Phone support: included on Standard and up during EU hours. 24/7 phone + dedicated Slack channel: Performance and Enterprise. We do not outsource customer support — every ticket goes to a human in Vienna, Berlin, Lisbon, or São Paulo.
02 How do I report an outage or incident?
Three paths in order of urgency: (1) check our public status page at /status to confirm whether we already know, (2) email [email protected] with "INCIDENT" in the subject if you are on Standard or below, (3) call your dedicated number / Slack channel if you are on Performance or Enterprise. Standard support response times apply only to non-incident tickets; live incidents trigger the on-call pager regardless of your tier.
03 How do you handle scheduled maintenance?
Maintenance windows are posted on the status page two weeks in advance, with a separate email notification to customers whose specific deployment is affected. Windows are typically 01:00-06:00 UTC and use rolling upgrades that do not interrupt traffic (one node at a time across an HA cluster). The status page maintenance section shows what is coming up.
04 What is the on-call rotation?
A primary and secondary on-call engineer with PagerDuty escalation. Pages from automated monitoring (queue depth, error rate, IP blacklisting, blocklist hits) trigger response within 5 minutes 24/7. Customer-reported incidents on Performance and Enterprise tiers also trigger the pager, not just a ticket queue.
05 Can I get a dedicated technical account manager (TAM)?
Included on Performance and Enterprise. A named engineer who knows your account, joins your quarterly business reviews, and is your first escalation point for both technical and contractual questions. Not a salesperson — they cannot give you discounts, but they can prioritize your tickets and accelerate engineering changes.
06 How do you communicate during incidents?
Status page updates every 15-30 minutes during active incidents, even if the update is just "still investigating, no new information." Email to affected customers within 1 hour of detection. Post-mortem published on the status page within 48 hours of resolution. We do not redact or soften RCAs.
07 How fast do you respond to bug reports vs. feature requests?
Bug reports (anything broken or behaving against documentation): acknowledged same day, triaged within 1 business day, deployed when ready (varies by severity). Feature requests: acknowledged within 3 business days, added to a public quarterly roadmap if accepted. We do not promise feature dates — we have shipped roadmap items in 2 weeks and we have shipped them in 18 months depending on complexity.
If your question is not in the 54 above, write to us.
Most of the questions on this page came from real prospect or customer emails. If you have a question we have not answered, sending it helps every future visitor. We will reply within 24 hours and update the FAQ if the question is common enough.