Skip to content
OS Domains
Industry

Email infrastructure built for the way B2B SaaS actually sends.

B2B SaaS email infrastructure is the dedicated sending setup a software company uses for its three distinct workloads — transactional, lifecycle and product-event mail — with isolated IP reputation and stats per workload. OS Domains runs this as managed dedicated infrastructure for B2B SaaS sending 500K to 10M messages a month, where per-message SaaS pricing stops adding up and corporate Microsoft 365 and Google Workspace inboxes demand deliverability work that does not happen automatically.

B2B SaaS is our largest customer segment — about 180 active accounts out of 380. The reason it concentrates here is two-fold: the volumes (500K-10M messages/month) are where managed dedicated infrastructure beats per-message SaaS pricing, and the corporate inboxes that dominate B2B (Microsoft 365 and Google Workspace) require deliverability work that does not happen automatically. We provide a three-pool architecture out of the box — transactional, lifecycle, product-event — with isolated reputation and stats per pool.

If your SaaS sends fewer than 500K per month, our Standard plan handles you with room to grow. Above 2M/month or with high webhook event volume, Performance is the right tier.

In short

  • Three-pool architecture out of the box — transactional, lifecycle, product-event — with isolated reputation and stats per pool.
  • Sized for the 500K-10M messages/month band, where managed dedicated infrastructure beats per-message SaaS pricing.
  • Built for the B2B inbox: ~61% of B2B recipients read in Microsoft clients, which filter harder and now reject non-compliant mail outright (550 5.7.515 since May 2025).
  • REST API or SMTP, six official SDKs, and HMAC-SHA256 signed webhooks with a 7-day replay buffer.
  • Honest about fit: we point you to Resend, Postmark, SendGrid or SES when one of them is the better answer.
Key numbers
SaaS B2B customers
180+
Multi-product senders
60% have 3+ pools
Customer-side webhooks
~50M events/day
Self-serve onboarding
48-72h

How should B2B SaaS split its email workloads?

A typical B2B SaaS sender has three distinct email workloads: (1) transactional — login codes, password resets, account-action confirmations, billing notifications; (2) lifecycle — onboarding sequences, weekly digests, feature-update alerts; (3) product event notifications — someone shared a document with you, your build failed, your invoice is past due. Each has different latency requirements, different volume profiles, different reputation considerations. The customers who treat them as one workload end up with mediocre delivery across all three. The customers who treat them as three separate workloads (separate IP pools, separate stats, separate webhooks) get top-quartile inbox placement on each.

Why is B2B SaaS the largest customer segment we serve?

A large share of our customers are B2B SaaS — companies selling software to other businesses, with email as a core product surface. The reason it concentrates here is the cost-benefit math: at the volumes typical for a growing B2B SaaS (500K-10M messages/month), per-message pricing from SendGrid Pro or Mailgun adds up faster than a managed dedicated infrastructure plan. The reputation problem also concentrates here: B2B inboxes (corporate Microsoft 365 and Google Workspace) are stricter than consumer inboxes, so the deliverability work has to be done more carefully.

Which integration patterns has OS Domains tested?

Most SaaS B2B customers integrate via REST API rather than SMTP, with webhook receivers that feed back into their product (mark a notification as "delivered" in the in-app UI, retry failed sends with different content). We have validated integrations with the Node.js, Python, Go, Ruby, PHP, and Java SDKs as well as direct API access from any language. Common application frameworks integrated: Rails, Django/FastAPI, Express, NestJS, Spring Boot, Laravel. Webhook delivery is signed with HMAC-SHA256 and includes a 7-day replay buffer so a brief outage of the receiving service does not lose events.

Why is Microsoft the hardest part of B2B deliverability?

Roughly 61% of B2B recipients read mail in a Microsoft client — Outlook, Exchange Online, Microsoft 365 — against about 35% on Google, per Validity's 2025 measurement. That single fact reshapes the deliverability work. Microsoft filters harder than Gmail and filters inconsistently, because every M365 tenant layers its own policy on top of Exchange Online Protection: Mimecast, Proofpoint, Barracuda, or a custom Microsoft Defender ruleset. The same message from the same green-SNDS IP can inbox at Gmail, sit in "Other" on consumer Outlook.com, and land in tenant quarantine at one of your customer's subsidiaries. Microsoft started rejecting non-compliant high-volume mail outright in May 2025 — a hard 550 5.7.515 instead of a silent junking — so a misaligned SPF or a missing DKIM signature shows up as a bounce now, not a slow reputation tax. We monitor placement per major-tenant configuration with seed accounts that mimic the common enterprise Defender setups, tune content against the SmartScreen patterns that trip M365 quarantine, and keep a documented escalation for the case every B2B sender eventually hits: one high-value recipient tenant quarantining your transactional mail while every other receiver inboxes it.

How does OS Domains compare with Postmark, Resend, SendGrid and SES?

We lose deals to four providers, and we will tell you when one of them is the better answer. Resend has the cleanest developer experience in the category right now — React Email templates, a TypeScript SDK that matches the API exactly, a permanent 3,000-message free tier — and for an early-stage product that only needs transactional, it is hard to beat. It is also a deliberately thin layer: no SMTP relay, no inbound parsing, no subscriber management. You grow out of its scope rather than its quality. Postmark built its name on transactional reliability through Message Streams, which keep transactional and broadcast traffic on separate infrastructure so a marketing blast never delays a password reset; below about two million messages a month with no lifecycle or product-event traffic to consolidate, we point people there and do not try to win the deal. SendGrid covers the whole spectrum and prices the highest volumes the lowest, with subusers for multi-tenant separation, though the deliverability hand-holding thins as you move down its support tiers. Amazon SES is the cheapest path at scale at roughly ten cents per thousand, and you operate everything yourself. We are the managed dedicated option for the 500K-to-10M band: where per-message pricing crosses over a flat infrastructure plan, where the corporate-inbox work needs a human who knows what a tenant-level Proofpoint policy does, and where EU data residency is a procurement requirement rather than a preference.

Multi-tenant sending puts the noisy-neighbor problem on your reputation.

If your product sends on behalf of your own customers, the reputation consequences of their behavior land on your domains and IPs. The mailbox providers moved to a domain-first, user-centric reputation model across 2024 and 2025, which means a single tenant with a dirty list or a high complaint rate drags down placement for every other tenant sharing the pool. The fix is governance you have to run, and tooling that makes it possible. We support a bring-your-own-domain model where each tenant authenticates under its own domain with its own DKIM key and return-path, so reputation accrues per tenant instead of pooling into one shared liability. Tenant tiering is common among our larger SaaS accounts: paying tenants on a premium pool, free-tier tenants on a separate one, so a free-tier abuse spike cannot tax the customers who pay you. Per-tenant tagging through the X-OSD-Tenant-ID header feeds a stats API that answers group_by=tenant_id queries — per-tenant inbox placement, complaint rate, bounce rate — which is what lets you find the one tenant generating complaints before the receivers find it for you. When you do, the portal lets you throttle or quarantine that tenant's sending without touching anyone else's.

Microsoft tenant rate limits are a design constraint, not a footnote.

Exchange Online enforces limits that bite the moment your customers relay their own mail through Microsoft 365, or you send into M365 tenants at volume. The Tenant External Recipient Rate Limit caps a whole tenant at 5,000 external recipients per day — per tenant, not per mailbox — so five of your customer's sales reps each sending a thousand external messages exhaust it for everyone in that company. A separate 10,000 daily recipient ceiling counts internal and external together, and a 30-messages-per-minute cap governs automated bursts independently of the daily number. There is a quieter trap for customers who route outbound through a third party for signature management or archiving and then back into Exchange Online for final delivery: Microsoft can double-count those external recipients, and the documented mitigation is a mail-flow rule keyed on the References header. We design pool throughput and per-tenant throttles around these numbers, so a product event that fans out to a few thousand recipients inside one customer's tenant gets paced under the cap instead of tripping it and stalling the rest of that tenant's mail for the day.

Three workloads, three latency budgets, three reputations.

The split between transactional, lifecycle, and product-event mail is not an organizational nicety; the three have incompatible operating characteristics. Transactional mail — login codes, password resets, payment confirmations — needs sub-second queue-to-send and a p99 measured in single-digit seconds, and it cannot share an IP with anything that sends in bulk, because one marketing complaint spike must never delay an authentication code. Lifecycle mail — onboarding sequences, weekly digests, feature announcements — is batched and tolerant of minutes of latency, but it carries the complaint risk, so it earns its own pool where a bad send degrades only itself. Product-event mail is the spiky one: a build finished, a document was shared, an invoice went past due, fanned out as up to roughly fifty million webhook-driven events a day across our B2B base, with bursts that track your customers' working hours rather than yours. Provisioning gives each of the three its own isolated, independently warmed pool with its own stats dashboard from day one. The accounts that collapse all three onto one pool to save a day of setup get middling placement on every type at once, and the conversation that follows is usually a migration to fix what correct provisioning would have prevented.

We are the email sending layer, not a notification orchestration platform.

Multi-channel orchestrators — Courier, Knock, the open-source Novu — sit above providers like us and route a single notification across email, SMS, push, and in-app, handle templating and preference centers, and fail over between channels. For a product that needs that, we name them rather than pretend the API does it. Several of our customers run exactly that topology: Knock or a self-hosted Novu on top, us as the email provider underneath, chosen for EU residency and dedicated-pool economics. The line is clean in procurement. A notification preference center, cross-channel digesting, and channel batching are orchestration concerns, and we integrate beneath them. Email that reaches a corporate Microsoft inbox at two million a month and up, under EU data residency, with the per-tenant data to prove placement, is the part we own. Mechanically the integration is unremarkable, which is the point: the orchestrator calls our send endpoint with the rendered message and a tenant tag, we return a message ID, and our webhooks feed delivery state back so the orchestrator can decide whether to escalate to another channel. Being underneath an orchestration layer changes none of the pool architecture, the per-tenant reputation accounting, or the EU residency guarantees — those hold whether the call originates from your application directly or from a Knock workflow three hops upstream. Keeping that scope is deliberate: a self-hosted Novu plus our API leaves both the notification logic and the email data on infrastructure you control, which is the configuration a privacy-sensitive buyer tends to land on.

How we solve it

The specific capabilities that matter for this use case.

01

Three-pool architecture out of the box

Provisioning includes a transactional pool, a lifecycle pool, and a product-event pool by default. Each isolated, each independently warmed, each with separate stats dashboard.

02

Webhook events for product feedback loops

Every state change (queued, delivered, deferred, bounced, opened, clicked) delivered to your endpoint within 1 second. Drives in-app "message sent" indicators, retry workflows, audit logging.

03

SSO via SAML on Performance and Enterprise

Customer portal supports SAML SSO with Okta, Microsoft Entra ID (Azure AD), Google Workspace, JumpCloud. Setup is 1-2 hours with your IT team. SCIM provisioning on the roadmap for Q3 2026.

04

Per-customer-of-yours stats and reputation

For B2B SaaS sending on behalf of their own customers (multi-tenant), per-tenant tagging via X-OSD-Tenant-ID surfaces per-tenant inbox placement, complaint rate, and bounce rate. Lets you debug a specific customer's deliverability.

05

Six official SDKs

Node.js, Python, Go, Ruby, PHP, Java — all with retries, type safety where the language supports it, and generated from the OpenAPI spec so they never drift from the implementation.

06

Production-grade test environment

A sandbox API key sends messages to a controlled sink (not real recipients), with the same response shapes and webhook events as production. Lets you wire integration tests without leaking real emails.

Common challenges

What we see go wrong, and how we fix it.

Corporate Microsoft 365 stricter than consumer Gmail

B2B inboxes are dominated by Microsoft 365 with enterprise security policies (ATP, Safe Links, EOP quarantine). A campaign that hits 97% Gmail inbox can hit 85% Outlook quarantine. The fix is per-tenant allowlisting for high-value B2B recipients and content tuning to avoid the SmartScreen triggers.

Multi-tenant reputation accountability

If you send on behalf of your own customers and one of them generates complaints, the reputation hit lands on your IPs. Some SaaS customers segregate by tenant tier (paid tenants on premium IPs, free tier on a separate pool). We support that pattern; the tooling is in the customer portal.

Migrating from SendGrid mid-growth-phase

A SaaS that scaled to 5M/month on SendGrid Pro and wants to move to us faces a 4-6 week migration with parallel-run and reputation transition. The Migration Service exists for this; the most common reason customers do not engage it is they underestimate the work — and then come back 3 months later asking for help with the deliverability damage.

The same email inboxes at Gmail and quarantines at one M365 tenant

Per-tenant Defender, Mimecast, or Proofpoint policies make inbox placement a property of each receiving tenant rather than of your message. We monitor placement across representative enterprise configurations and keep a release-from-quarantine playbook, because once a recipient releases your mail from their tenant quarantine, future placement to that tenant improves measurably.

A phishing report costs far more than a junk vote

On Microsoft, a recipient reporting your mail as phishing damages sender reputation much more sharply than a junk classification, and the damage lasts. For B2B senders the risk concentrates in cold or semi-cold lifecycle sends to corporate addresses, so we isolate those onto their own pool and watch the phishing-report signal specifically.

FAQ

Questions we get the most.

01

How does this compare to Postmark for transactional?

Postmark is excellent for pure transactional at moderate volume (sub-2M messages/month) and we recommend it to customers below that threshold who do not also have lifecycle and product-event traffic to consolidate. Above 2M/month or when you need separate IP pools for transactional/lifecycle/product or when you want phone support included, we are typically cheaper at TCO and give you more operational levers.

02

Can I use OS Domains for one workload and another provider for the rest?

Yes. About 30% of our B2B SaaS customers run a hybrid setup — us for one or two workloads, another provider for the rest. Common pattern: us for transactional (where deliverability matters most), Mailgun or SES for marketing (where price matters most). We do not require consolidation.

03

Do you support multi-tenant SaaS where each tenant has their own sending domain?

Yes. Up to 200 sending domains per account, each authenticated separately. Some customers go further and create separate sub-accounts for their largest tenants (separate API keys, separate billing on a parent invoice). Talk to sales for the multi-account configuration if you have 50+ high-volume tenants.

04

What is the typical onboarding for a 1M/month SaaS?

Day 1: order form signed, DNS records published, API keys issued. Days 2-5: dev integration via Node.js or Python SDK, sandbox testing. Days 6-14: phased traffic shift starting at 10% with reputation monitoring. Days 15-21: full traffic and decommission of the previous provider. Migration Service handles this end-to-end for €1,490-2,990 depending on complexity.

05

Can I get analytics on per-end-customer email engagement?

Yes via X-OSD-Tenant-ID tagging. The stats API supports group_by=tenant_id queries that return per-tenant delivery rates, bounce rates, complaint rates. Some customers feed this into their own analytics warehouse for cross-product deliverability views.

06

Why not simply use Resend or Postmark instead of dedicated infrastructure?

For pure transactional under about two million messages a month, that is often the right call and we say so. The crossover comes when you add lifecycle and product-event volume that wants its own pools, when per-message pricing on those providers passes a flat dedicated plan, or when EU data residency becomes a contractual requirement your buyer's security team writes into the order. Below that line, the developer experience of Resend and the deliverability focus of Postmark are hard to beat, and we will tell you to stay there.

07

How do you handle deliverability to a customer whose tenant runs Proofpoint or Mimecast?

Those gateways sit in front of Exchange Online and apply their own rules, so passing Microsoft's native checks is necessary but not sufficient. We authenticate cleanly — aligned SPF inside the ten-DNS-lookup limit, per-stream DKIM, DMARC at enforcement — and keep the sending domain history clean. When a specific gateway still filters, we work the release path: getting one recipient inside that tenant to release the message from quarantine, which teaches the gateway to trust the sender. For named high-value recipients, we document an allowlisting request your customer's IT can apply directly.

08

What does EU data residency actually mean for a B2B SaaS using your API?

Message content, recipient data, event logs, and the webhook payloads we retain all stay on EU infrastructure under an Austrian legal entity, with no US parent in the processing chain. For a SaaS selling into European enterprises or regulated sectors, that takes the Schrems II transfer question off your subprocessor review: your buyer's security team can list us as an EU processor without a transfer impact assessment for the email leg. The effect shows up in procurement, where the email-vendor row stops being the one that holds up the security questionnaire.

09

How reliable are the webhooks our product depends on for delivery state?

Every state change — queued, delivered, deferred, bounced, opened, clicked — is signed with HMAC-SHA256 and delivered to your endpoint, with a 7-day replay buffer so a brief outage of your receiver does not lose events. Events carry a stable message ID and an idempotency key, so your handler can dedupe redelivery safely. If your endpoint returns a non-2xx, we retry on an exponential backoff across the buffer window, and the portal lists undelivered webhook batches you can replay by hand. The design assumption is that your in-app "message sent" indicator and your retry workflows read this stream, so a lost event is treated as a delivery failure on our side rather than yours.

10

Do you support separate sending for staging and production?

Yes. Most SaaS customers run a sandbox subdomain and pool for staging and test traffic, isolated from production reputation, so a load test or a QA run never touches the IPs that carry real customer mail.

Ready to talk

Schedule a 45-minute architecture call with an engineer.

No salesperson, no commission, no qualification rounds. Tell us what you are trying to do, we tell you whether we are a fit, and you walk away with a recommendation either way.

Phone +43 1 205 11 80 Mon–Fri · 9–18 CET
Email [email protected] Avg response 4h business
Office Fleischmarkt 1, 1010 Wien By appointment