Skip to content
OS Domains
Use case

Notification bursts at scale. Without the choke.

OS Domains runs high-volume notification email infrastructure for SaaS, fintech, and monitoring platforms whose traffic is bimodal — a low steady state, then bursts of hundreds of thousands of messages when a triggering event fans out across a customer base. Burst headroom is pre-provisioned on every PoP to absorb up to 5M messages per hour per PoP at a p99 submission latency near 180ms, under a 99.99% SLA, with EU data residency. Transactional, notification, and marketing streams stay on separate IP pools, so a complaint on one never reaches the reputation of the alerts that matter.

Notification workloads are bimodal: low steady-state, sudden bursts when a triggering event fires across your customer base. The infrastructure question is whether the burst lands in seconds or queues for minutes — most providers handle steady state fine and choke on the burst. We are designed for the burst case, with pre-provisioned 2× headroom on every PoP and burst-absorption capacity that scales to 5M messages per hour per PoP without throttling.

If your steady state is below 100K/month, Standard works. Above that, or if you anticipate bursts above 100K in a 15-minute window, Performance is the right tier.

In short

  • Bursts absorbed to 5M messages per hour per PoP on 2× pre-provisioned headroom — no autoscale cold-start sitting in the critical path of a time-sensitive alert.
  • p99 submission latency held near 180ms even mid-burst, dispatch within minutes across the recipient set, because burst capacity is reserved warm rather than scaled on demand — under a 99.99% SLA.
  • Separate IP pools for transactional, notification, and marketing traffic: a complaint spike on one pool leaves the others at full inbox placement.
  • Per-recipient-domain and per-tenant pacing keeps a concentrated fanout under Microsoft 365’s 5,000/day external-recipient tenant cap instead of exhausting it in one spike.
  • Webhooks within 1 second of each state change, with 30-minute retry then a 7-day replay buffer for endpoint outages during incident peaks.
Key numbers
Peak burst capacity
5M msg/h
P99 submission latency
180ms
SLA
99.99%
Webhook retry
7-day buffer

Notifications: alerts, status changes, daily digests, sub-second time pressure.

High-volume notifications sit between transactional and marketing in volume but are time-sensitive like transactional. Examples: SaaS product notifications (someone mentioned you, your build failed, your invoice is due), financial alerts (balance threshold, fraud detection, security advisory), operational pages (your incident is escalating, your deployment finished, your monitoring alert fired). The volume is high — sometimes millions per day across a customer base — but each individual message needs to land in seconds because there is a recipient waiting for it. The infrastructure problem is sustaining peak send rate without sacrificing per-message latency.

Why do most providers choke on the burst rather than the steady state?

A notification burst is bimodal: 95% of the time you are sending at 1-5K/hour, then a triggering event — a deployment, a market move, a security incident at one of your customers — causes you to send 500K in 15 minutes. Most providers handle the steady state fine and choke on the burst. The choke takes different forms: SES rate-limits and queues internally with a multi-minute delay; SendGrid Pro throttles to protect shared infrastructure; managed services with hourly capacity caps reject submissions until the rate window resets. We design for the burst case specifically: 2× headroom on every PoP, burst-absorption capacity pre-provisioned, separate dispatch queues for time-sensitive vs background traffic.

What makes notifications different from marketing or transactional?

Notifications differ from marketing because the recipient is genuinely waiting (engagement is not optional, it is the entire point). They differ from transactional because the volume per event can be 100-1000× the steady state. They share with transactional the requirement for low latency, and share with marketing the requirement for high throughput. Most senders in this category run a hybrid setup — a small transactional pool for OTPs and password resets, a notification pool that scales for bursts, and sometimes a separate marketing pool. We support all three on the same account with separate IP pools, separate stats, separate webhook routing.

Is a notification transactional or marketing for compliance?

The word "notification" hides a consent question, and the answer decides which rules apply. A genuine operational alert — your build failed, your invoice is past due, a login from a new device — is transactional, and it reaches the recipient without marketing consent because the recipient asked for the underlying service. A "notification" that promotes a feature, invites you to a webinar, or nudges an upsell is marketing in substance no matter which system sends it, and it needs consent and a working one-click unsubscribe under the Gmail and Yahoo sender rules and under GDPR. The temptation is to route the promotional kind through the notification pipeline to skip the unsubscribe flow, and it backfires every time: a recipient who cannot opt out of something plainly promotional reaches for the spam button instead, and the complaint lands on the pool that was supposed to stay clean for the alerts that matter. We separate the streams at the pool and policy level — true transactional and operational notifications on a pool with no marketing mixed in, anything carrying a promotional element on a pool that publishes List-Unsubscribe and honors preferences. The classification is not bureaucracy; it is what keeps the reputation of the genuine alerts intact.

We are the delivery layer under an orchestrator, not the orchestrator.

A growing share of notification systems run an orchestration layer on top — Courier and Knock are the common ones — that routes a single notification across email, SMS, push, in-app, and Slack according to user preference and fallback rules like "try in-app first, fall back to email if unseen within ten minutes, escalate to SMS for a high-priority alert." We are not that layer, and for a product that needs genuine multi-channel routing with a preference center we will name it rather than pretend an email API covers the job. What we are is the email leg those orchestrators route into, chosen for EU residency and the pre-provisioned burst capacity the category demands. The topology is common among our customers: an orchestrator, or a self-hosted equivalent such as Notifuse, sitting on top, with us as the email provider underneath. The integration is plain — the orchestrator calls our send endpoint with the rendered message, a priority flag, and a tenant tag, we return a message ID, and our webhooks feed delivery state back so the orchestrator can decide whether to escalate to another channel. Being underneath the orchestration layer changes none of the burst handling, the per-tenant pacing, or the residency guarantees, which hold whether the call comes from your application directly or from a Knock workflow upstream.

Who owns notification sprawl across teams?

Notification volume is rarely owned by one team. Marketing sends campaigns, product sends lifecycle and feature alerts, customer success sends check-ins, sales sends follow-ups, and engineering sends the transactional traffic, and no single team sees the total a given recipient receives across all of it. The audit that counts messages per user per week tends to shock the people who run it, because the aggregate is always higher than any one team assumed. That matters for deliverability, because mailbox providers judge the cumulative experience: a recipient buried under touches from five teams complains, and the complaint does not care which team sent the message that broke the patience. We make the total picture visible — per-tenant and per-stream volume through the X-OSD tagging headers, queryable so you can see how many touches a recipient is getting across streams rather than within one. We support cross-stream suppression as well, so a complaint can suppress every non-transactional message to that recipient for a cooling-off window while the genuine alerts still get through. Deliverability in 2026 is shared ownership across marketing, product, engineering, and legal, and the only way to govern it is to see it in one place.

The burst is a per-provider problem, and the providers do not burst the same way.

A notification burst is not one delivery problem; it is a different problem at each receiving provider, firing at once. A fanout of fifty thousand alerts in fifteen minutes is comfortable for Gmail, which tolerates a high rate from a trusted sender, while Yahoo defers aggressively and asks you to slow down, and Microsoft applies a constraint most senders forget until it bites: the tenant external-recipient rate limit caps a whole Microsoft 365 tenant at five thousand external recipients a day. When a fanout concentrates inside one large customer — a status-page incident alerting every user at a single enterprise — those few thousand messages can exhaust that tenant's daily allowance and stall the rest of its mail, including mail that has nothing to do with you. Our scheduler smooths the rate per recipient domain and, for Microsoft, per tenant, so no single provider and no single customer tenant sees the whole burst at once. The steady-state send rate is never the hard part; the hard part is shaping a spike so that the providers most likely to throttle never see a spike at all.

Why do steady-state latency benchmarks mislead for this category?

A latency number quoted without the load it was measured under is close to meaningless for this category. Most providers publish a median measured at steady state, and the number that decides whether a fraud alert or an outage page lands in time is the p99 latency during the burst, when queues are deepest. The difference usually comes down to how capacity is added. A platform that autoscales into a burst pays a cold-start penalty measured in minutes precisely when a time-sensitive alert cannot absorb it, so the scaling event itself sits in the critical path and the steady-state number stops describing reality. We pre-provision burst headroom on every point of presence rather than scaling on demand, which means the capacity is already warm when the spike arrives and there is no scaling event between submission and dispatch. The result is a p99 submission latency held around 180 milliseconds and dispatch within minutes even mid-burst, not because the steady-state pipe is fast, but because the burst capacity was paid for before the burst rather than summoned during it.

When is email the wrong channel for an alert?

Email is a strong default for notifications, and it is the wrong primary channel for an alert measured in seconds. A pager escalation, a fraud block, an outage that is actively worsening — these need a channel that delivers in seconds with a read receipt, and email delivery into a corporate mailbox can take minutes through a tenant gateway no matter how clean the sender is. For those, SMS, push, or a Slack message is the right front line, with email as the durable record and the fallback. We are an email provider, so the real-time critical-alert leg is not ours to run, and we will name the orchestrator and the SMS or push provider for it rather than imply that an email API solves a latency requirement that belongs to a different medium. Where email is the right tool is the large surface of notifications that do not turn on a single second: the daily digest, the build-finished note, the invoice reminder, the security advisory that needs to arrive reliably and become part of the record. Drawing that line honestly tends to earn more trust than claiming the inbox answers every alert, because the buyer has usually already watched an email-only alerting setup miss a deadline that mattered.

Batching low-priority notifications into a digest protects deliverability.

Not every notification needs to be its own email. Bundling low-priority, non-time-critical notifications into a scheduled digest cuts the per-recipient send frequency, and frequency is one of the signals that drives complaints and unsubscribes. A user who receives twenty separate "someone commented" emails in a day starts marking them as spam; the same twenty arriving as one daily digest stay welcome. The deliverability win is direct. Fewer sends to the same recipient means a lower chance of fatigue-driven complaints and a higher average engagement per message, which is exactly the ratio mailbox providers reward when they decide placement. We support scheduled digest windows and per-recipient frequency caps, so the application can mark a notification as digest-eligible and let the platform bundle it, while a genuinely time-sensitive alert bypasses the digest and dispatches immediately. The design question for each notification type is whether the recipient needs it in seconds or needs it in a daily summary, and routing the second kind into a digest protects the reputation the first kind depends on. The teams that turn every product event into its own email are the ones whose engagement quietly erodes and whose complaint rate creeps toward the filtering threshold; the teams that batch aggressively keep the inbox relationship healthy and the genuine alerts trusted.

How we solve it

The specific capabilities that matter for this use case.

01

Burst capacity to 5M/hour per PoP

Pre-provisioned burst headroom on every PoP means a 500K message burst submits within 6 minutes and dispatches within 12. No pre-warming required for predictable bursts.

02

Separate queues for time-sensitive traffic

Mark messages with priority=high via the API and they bypass any per-customer batch queues, going directly to the per-IP dispatch lane.

03

Real-time webhooks with 7-day replay

Every event (queued, delivered, bounced) delivered within 1 second of state change. If your endpoint is down, we retry for 30 minutes then buffer for 7 days for replay.

04

Customer-level fanout rate control

When a single triggering event causes a fanout (e.g., status page incident → 50K customer alerts), we throttle per-recipient-domain to avoid hitting mailbox-provider abuse thresholds.

05

PagerDuty integration for our on-call

If your notification latency or delivery rate degrades, our on-call engineer is paged within 5 minutes — your problem becomes our problem before you have to write a ticket.

06

Status API at 60 req/min

Programmatic check on our platform health so your application can adapt (queue locally, fall back, alert your team) when we are degraded. Status data freshness <60 seconds.

Common challenges

What we see go wrong, and how we fix it.

Fanout to many recipient mailbox providers in one event

Sending 50K messages in 5 minutes to a mix of Gmail, Outlook, Yahoo, and corporate Exchange is fine for Gmail but Outlook will rate-limit and Yahoo will defer. Our scheduler smooths the per-provider rate automatically so no single provider sees the full burst at once.

Webhook endpoint outages during incident peaks

Your webhook handler is most likely to fail during the moment you most need it (when 500K events are firing in 15 minutes). Our 7-day replay buffer covers this; once your endpoint is back, we replay every missed event in order with the original timestamps.

Cross-PoP failover during regional outages

Performance and Enterprise customers have multi-PoP routing — if a PoP loses transit, traffic shifts to the alternate PoP within 30 seconds. Starter and Standard are single-PoP and would see the outage; we recommend Performance for any notification workload that cannot tolerate a 1-hour regional outage.

Misclassifying promotional content as a notification

Teams sometimes route a feature announcement or a webinar invite through the notification system to skip the marketing unsubscribe flow, and it backfires: the recipient who cannot unsubscribe from what is plainly promotional reaches for the spam button instead, and the complaint lands on the notification pool that was supposed to stay clean. We keep promotional content off the transactional and operational pools by policy, and anything with a marketing element carries List-Unsubscribe and honors preferences, because that classification is what protects the pool reputation the genuine alerts depend on.

A fanout concentrated in one customer tenant trips their cap

When a triggering event fans out fifty thousand alerts and a few thousand land inside a single customer's Microsoft 365 tenant, the tenant external-recipient limit of five thousand a day can trip, which stalls your notifications and the rest of that tenant's mail for the window. Our scheduler paces per recipient domain and per tenant, so a storm into one large customer is spread under their cap rather than exhausting it in a burst.

FAQ

Questions we get the most.

01

How fast can I send 1 million notifications?

On Performance tier, 12 minutes from API submission to recipient MX hand-off across the full message set, sustained. Burst capacity scales beyond that with notice. Enterprise customers with pre-provisioned burst windows have hit 5M in 60 minutes; we typically recommend spreading those over a longer window to protect your reputation at the recipient side rather than ours.

02

Do you support batch send endpoints?

Yes. POST /v2/send accepts arrays up to 1,000 recipients per request, each rendered from a shared template with per-recipient merge variables. Submission latency is identical for batched vs individual — we tune for whichever your application produces more naturally.

03

What happens if my webhook handler is down during a burst?

We retry every event for 30 minutes with exponential backoff. After 30 minutes, the events go into a 7-day replay buffer. Once your endpoint returns 200 OK, we drain the buffer in chronological order with original timestamps. You can also trigger a manual replay via the API for a specific date range.

04

How do you handle deliverability for transactional + notification + marketing on one account?

Three separate IP pools, each with its own reputation history at every mailbox provider. The portal shows per-pool dashboards. If one pool has a complaint spike, only that pool's reputation is affected — the others continue at full inbox placement. Some customers go further and split by sub-product (e.g., billing notifications on one pool, security alerts on another).

05

Can I send notifications in 7+ languages with different templates per recipient locale?

Yes. Store templates per locale (welcome-en, welcome-de, welcome-pt-br), pass locale and recipient_id in the data object, we render the right template server-side. Or pass html/text directly per message — the API accepts either pattern.

06

Is a product notification transactional or marketing for compliance?

It depends on content, not on the system that sends it. A genuine operational alert — your build failed, your invoice is due, a security advisory — is transactional and reaches the user without marketing consent. A notification that promotes a feature, an upsell, or an event is marketing in substance and needs consent and a working one-click unsubscribe under the Gmail and Yahoo rules and under GDPR. We keep the two on separate pools and policies, because routing promotional content through a transactional pool to dodge the unsubscribe requirement is the fastest route to a complaint spike that damages the alerts you cannot afford to lose.

07

Do you replace Knock or Courier?

No, and for true multi-channel orchestration we name them. Knock and Courier sit above email providers and route a notification across email, SMS, push, in-app, and Slack based on user preference and fallback rules, with a preference center built in. We are the email leg those orchestrators route into, chosen for EU residency and pre-provisioned burst capacity. The common topology among our customers is an orchestrator or a self-hosted equivalent on top, us as the email provider underneath; the orchestrator calls our send endpoint and our webhooks feed delivery state back so it can decide whether to escalate to another channel.

08

How do you hold p99 latency low during a 500K burst, beyond the steady-state number?

By pre-provisioning the burst headroom rather than autoscaling into it. A platform that scales capacity on demand adds a cold-start delay measured in minutes at exactly the moment a time-sensitive alert cannot tolerate it, so the steady-state latency number stops describing what happens during the event. We hold p99 submission latency at 180 milliseconds and dispatch within minutes mid-burst because the capacity is already warm and reserved on every point of presence, which means there is no scaling event sitting in the critical path of an alert someone is waiting on.

09

Can we batch low-priority notifications into a digest?

Yes. Mark a notification as digest-eligible and the platform bundles it into a scheduled window — hourly, daily, or a custom cadence — while anything flagged time-sensitive bypasses the digest and dispatches immediately. Per-recipient frequency caps sit alongside it, so a single recipient never receives more than the threshold you set in a window. Batching is one of the most effective ways to keep a high-volume notification program below the complaint rate that triggers filtering, because it lowers per-recipient frequency without dropping any signal.

Ready to talk

Schedule a 45-minute architecture call with an engineer.

No salesperson, no commission, no qualification rounds. Tell us what you are trying to do, we tell you whether we are a fit, and you walk away with a recommendation either way.

Phone +43 1 205 11 80 Mon–Fri · 9–18 CET
Email [email protected] Avg response 4h business
Office Fleischmarkt 1, 1010 Wien By appointment