Skip to content
OS Domains
Use case

Password resets, OTPs, receipts. Delivered in seconds.

Transactional email is the mail recipients are actively waiting for — password resets, one-time codes, order and shipping confirmations — where median delivery time and SLA reliability matter more than open rate or copy. OS Domains tunes its platform for this: low-latency send paths, authentication treated as a delivery gate, and exactly-once handling for codes and payment confirmations, for senders who need transactional mail to arrive in seconds and never silently fail.

Transactional messages are the ones recipients are actively waiting for: password resets that should arrive before they switch tabs, OTPs that must beat the 30-second countdown, order confirmations that close a purchase loop, shipping notifications that prevent support tickets. Median delivery time matters more than open rate. SLA reliability matters more than clever copy. The infrastructure considerations are different from marketing, and our platform is tuned accordingly.

We have customers sending 100K transactional messages per month and customers sending 30M+. Same platform, same SLA tiers, same on-call rotation — the architectural concerns scale linearly.

In short

  • Optimized for median delivery time and SLA reliability, not open rate — the metrics that matter for awaited mail.
  • Authentication (SPF, DKIM, DMARC alignment) treated as a delivery gate, since transactional mail is now filtered on it too.
  • Exactly-once handling for OTP and payment confirmations, not best-effort sends that can duplicate or drop.
  • Apple Mail Privacy Protection is a non-issue here, which keeps the delivery metrics honest.
  • Honest about fit: where email is the wrong channel for a code, or where SES is cheaper for your shape, we say so.
Key numbers
Median delivery time
1.4 s
P99 delivery time
3.8 s
Inbox placement
97-99%
SLA
99.99%

Why is transactional email a different problem than marketing?

Transactional messages — password resets, OTPs, order confirmations, shipping notifications, account alerts — have to arrive within seconds of the triggering event, every time, regardless of the time of day or the volume that day. Inbox placement matters less than delivery latency and SLA reliability, because the recipient is actively waiting for the message in front of a screen. A 30-second delay on an OTP is a customer service ticket; a 5-minute delay is a churned account. This is a different problem from marketing email and it benefits from being treated as one.

Why do transactional senders move from AWS SES?

SES is the most common starting point for transactional email because it is the cheapest per-message. Customers tend to outgrow it for three reasons: (1) the IP warmup process is entirely DIY and most teams underinvest in it, leading to throttling at Gmail and Outlook when volume spikes during a launch or a Black Friday-type event; (2) when something goes wrong, the path to a human at AWS who actually understands email is gated by Business Support pricing and not optimized for the case where you need an answer in 30 minutes, not 30 hours; (3) the burden of monitoring deliverability across mailbox providers, parsing DMARC reports, and managing IP reputation falls on the customer team, who almost always have other things to do.

What does OS Domains change for transactional senders?

Three things are tuned differently for transactional traffic on our platform versus marketing. First, message priority queueing: transactional messages bypass any per-customer batch queue and go directly to the per-IP dispatch lane, with a separate rate limit pool. Second, we warm IPs assigned to transactional pools faster because engagement signals are unambiguous (recipients open password resets and shipping notifications at high rates, fast). Third, the on-call rotation has separate paging thresholds for transactional latency anomalies — if median delivery latency exceeds 3 seconds for a single customer for more than 5 minutes, the on-call engineer is paged regardless of overall platform health.

Is authentication required for transactional email?

The bulk-sender rules Gmail, Yahoo, and Microsoft rolled out from February 2024 onward do not exempt transactional traffic the way many teams assume. The thresholds count all mail from a domain, so a SaaS sending password resets and shipping notices from the same domain as its newsletters inherits the requirement: aligned SPF inside the ten-DNS-lookup limit, a valid DKIM signature on every stream, and a published DMARC policy. Microsoft began rejecting non-compliant high-volume mail outright in 2025, returning a hard 550 rather than a silent junking, which for an OTP means the code never arrives and the login simply fails. The failure is invisible from the sending side unless you are watching bounces per provider, because the request returns a normal acceptance and the rejection happens downstream. We authenticate transactional pools to enforcement by default, monitor the per-provider acceptance and bounce signals specifically for the transactional streams, and alert on a rejection-rate change at a single provider before it turns into a wave of "I never got the code" tickets. Fast delivery and correct authentication are the same requirement now: an unauthenticated OTP is not a slow OTP, it is a missing one.

Apple Mail Privacy Protection is a non-issue here, and that clarifies the metrics.

Marketing teams spent the last few years adjusting to Apple Mail Privacy Protection inflating open rates, and the reflex is to ask how it affects transactional sending. It does not, because open rate is not a metric that matters for transactional mail in the first place. Nobody optimizes a password reset for opens; the recipient is in front of the screen waiting, and the only questions are whether the message arrived and how fast. That clarity is a feature of the workload. The signals we hold transactional pools to are delivery confirmation from the recipient mailbox, end-to-end latency from API submission to MX acceptance, and bounce rate per provider — none of which Apple prefetching can distort. When a customer migrating from a marketing-oriented platform asks us to report opens on their OTP stream, we steer them to the numbers that actually predict a working login: median and p99 latency, provider-level acceptance, and the rate of duplicate sends suppressed by idempotency. The absence of the open-rate distraction is part of why transactional deserves its own pool, its own dashboard, and its own paging thresholds.

The SES economics that look cheap until you price the whole thing.

Amazon SES advertises ten cents per thousand messages, and on the headline number nothing beats it. The total cost shows up in the line items underneath. The free tier that used to cover sixty-two thousand messages a month was cut in 2023 to three thousand for the first year only, a dedicated IP is a separate monthly charge of around twenty-five dollars, the Virtual Deliverability Manager that gives you usable reputation insight is a paid add-on, and AWS data-transfer fees apply on top. None of that is the real cost, though. The real cost is operational: SES hands you a raw sending pipe and leaves IP warmup, DMARC report parsing, blocklist monitoring, and per-provider reputation management to your team, and the path to a human who understands email runs through Business Support pricing and is not built for the case where an OTP latency spike needs an answer in thirty minutes rather than thirty hours. Teams move to us when the engineering time spent operating SES, plus the add-ons, plus the cost of the launch where unwarmed IPs got throttled at Gmail, adds up past a managed plan that includes the warmup, the monitoring, and the on-call engineer in the base price. The crossover is rarely about the per-message rate. It is about who does the work.

How are OTP and payment confirmations handled?

A password reset that sends twice is an annoyance; a payment confirmation that sends twice can trigger a duplicate support escalation or a fraud flag, and an OTP that races a retry can lock a user out of their own login. Transactional flows are full of these exactly-once requirements, and the infrastructure has to treat them as first-class rather than assume the application handles deduplication. We accept an Idempotency-Key header on every send, and a duplicate call carrying the same key within a twenty-four-hour window returns the original response instead of dispatching a second message, which makes a retry after a timeout safe rather than dangerous. The webhook stream that reports delivery state carries the same key, so the application can reconcile what was actually sent against what it intended to send. For OTP specifically, the expiry window is part of the design: a code that takes three minutes to arrive because a tenant quarantined it is functionally expired before it lands, so we treat per-tenant OTP latency as a reputation problem to solve at the IP level rather than a delay to tolerate. The category rewards infrastructure that assumes the application will retry and is built to make retries harmless.

Where email is the wrong channel for the code, and we will say so.

Email is a strong default for transactional delivery, and it is not always the right channel for a one-time code. A login flow that demands the second factor inside a thirty-second countdown is fighting the inherent variability of email delivery to corporate mailboxes, where a tenant gateway can add two or three minutes regardless of how clean the sender is. For those flows, SMS, an authenticator app, or a push-based factor is the better primary channel, with email as the fallback rather than the front line. We are an email provider, so the SMS or RCS leg is not something we run, and we will name a specialized provider for it rather than pretend an email API solves a latency problem that belongs to a different medium. What we do well is the email side of a multi-factor design: the account-recovery link, the new-device notification, the confirmation that a factor was changed, and the OTP for flows where a few seconds of variance is acceptable. Drawing that line honestly in an evaluation tends to build more trust than claiming email answers every authentication-delivery question, because the buyer has usually already felt the corporate-inbox latency problem firsthand.

What we SLA, and what we are honest about not controlling.

A reliability claim is only useful if it is precise about its own boundary. We SLA the part of the path we control: the latency from API submission to hand-off at our MTA sits under two hundred milliseconds at p99, and the platform availability target is 99.99% with service credits of five percent per tenth of a percent below it. We deliberately do not put a sub-two-second guarantee on end-to-end delivery, because the last hop depends on the recipient mailbox, and a corporate Exchange server or a legacy on-premise gateway can respond slowly for reasons no sending platform can fix. What we measure and publish is the median, which sits around 1.4 seconds across major providers, and the p99 around 3 to 4 seconds, with the slow tail attributable to recipient infrastructure rather than ours. When an incident does hit the platform side, the incident commander pages affected customers within thirty minutes of detection, Performance and Enterprise accounts get a war-room invitation with our engineering, and a written root-cause analysis follows within forty-eight hours. The honesty about the boundary is the point: a vendor that puts an SLA on something it does not control is writing a check the recipient mailbox will bounce.

Suppression discipline for transactional is different from marketing.

Marketing sending leans on aggressive suppression — once an address bounces or complains, you stop, because the cost of sending again outweighs the value of the message. Transactional sending cannot be that blunt, because the message is one the user asked for and may urgently need. A hard bounce on a password-reset address still has to surface to the application so it can prompt the user to correct the address on file, rather than silently dropping the only path back into the account. We keep transactional suppression scoped tightly: hard bounces and explicit complaints suppress, transient deferrals retry on a backoff, and the webhook reports each outcome so the application decides what to do rather than the platform making an irreversible call on a message the user is waiting for. The discipline is narrower on purpose, because over-suppressing transactional mail locks people out of their own accounts.

How we solve it

The specific capabilities that matter for this use case.

01

Sub-second submission latency

POST /v2/send returns within 80ms p95 across all PoPs. The actual delivery to recipient MX happens within 1-2 seconds for major mailbox providers thanks to direct IX peering.

02

Separate transactional IP pools

Transactional IPs are kept separate from marketing or cold-email pools in your account, so a marketing-send reputation event cannot affect your password-reset deliverability.

03

Idempotency keys built in

Pass Idempotency-Key header — duplicate API calls within 24 hours return the original response instead of sending twice. Critical for OTP and payment-confirmation flows.

04

Per-message tagging for stats

X-OSD-Campaign-ID and X-OSD-Template-ID headers segment your stats without needing subaccounts. See per-OTP deliverability separately from per-shipping-notification.

05

Webhook for every state change

queued / delivered / bounced / deferred / complained events delivered with HMAC-SHA256 signing. Drives your in-app notification when the recipient mailbox actually accepts.

06

24/7 phone for Performance and Enterprise

When a 4am Sunday OTP latency spike happens, you get a human on the phone within 1 hour. Performance and Enterprise tiers include this; Starter/Standard customers can add as an option.

Common challenges

What we see go wrong, and how we fix it.

Volume spikes during product launches

A launch or a Black Friday event can 10× transactional volume in one hour. We pre-warm extra capacity on request with 7 days notice; without notice, our default headroom is 2× sustained rate, which covers most spikes but not extreme ones.

OTP delivery delays at Microsoft 365

Some Microsoft 365 tenants apply quarantine policies that delay even properly-authenticated OTPs by 2-3 minutes. The fix is either tenant-side allowlisting (we provide the IPs) or routing OTPs through a dedicated IP with established reputation specifically for that tenant.

Reputation cross-contamination

A customer running both transactional and aggressive cold email on the same domain will see their transactional inbox placement degrade. We require separate subdomains for transactional vs cold; one cannot share reputation with the other.

An OTP that beats a 30-second countdown is the hardest ask

A login that requires the code inside a thirty-second window is asking email to win a race it does not always control, because a corporate tenant can add minutes of gateway delay to a perfectly authenticated message. We solve what is solvable — dedicated reputation per high-value tenant, enforcement-grade authentication, priority queueing — and we are direct that for the tightest countdowns a non-email second factor with email as fallback is the more reliable design.

Silent downstream rejections after a provider tightens rules

When Microsoft or Gmail tightens enforcement, a previously fine transactional stream can start getting rejected downstream while the send API still returns a normal acceptance, so the failure is invisible unless someone is watching bounces per provider. We monitor per-provider acceptance for the transactional pools specifically and alert on a rejection-rate change before it becomes a wave of missing-code tickets, which is the difference between catching it in an hour and hearing about it from support volume.

FAQ

Questions we get the most.

01

Can you guarantee sub-2-second delivery?

Median, yes — we measure median around 1.4 seconds across major mailbox providers. P99 is 3-4 seconds because some recipient mailboxes (corporate Exchange, legacy on-premise) just respond slower. We do not guarantee P99 sub-2s because it would require us to make claims about recipient infrastructure we do not control. We do SLA the platform-side latency (API submission to MTA hand-off) at sub-200ms P99.

02

How do you handle rate limits during spikes?

Default is 50K messages per hour on Starter, 250K on Standard, 1M on Performance, custom on Enterprise. Burst capacity beyond these limits is available with 24 hours notice via the customer portal or by emailing support. For predictable events (Black Friday, product launches), pre-warm requests with 7 days notice get you up to 5× the sustained rate.

03

Do you support template merging?

Yes. Save templates via POST /v2/templates with Mustache or Handlebars syntax. At send time, pass template_id and a data object for merge variables. Template rendering happens server-side in <5ms; total submission latency is unaffected.

04

Can I send only transactional, no marketing?

Yes. Many customers do exactly that — they use us as the transactional layer and route marketing through their existing tool. We do not require you to consolidate everything on us. Separate API keys with separate scopes make this clean.

05

What happens if you have an outage during a critical send?

The SLA pays out service credits (5% per 0.1% below the target). More practically: our incident commander pages affected customers within 30 minutes of detection. Performance and Enterprise customers get a war-room invitation with our engineering. We publish a written RCA within 48 hours of resolution.

06

Do the Gmail and Yahoo bulk-sender rules apply to our transactional mail?

If your transactional mail shares a domain with bulk sending, yes — the thresholds count all mail from the domain, so password resets and confirmations inherit the requirement for aligned SPF, per-stream DKIM, and a published DMARC policy. Even on a transactional-only domain, authentication is now effectively required to reach Microsoft and Gmail reliably, and Microsoft rejects non-compliant mail outright rather than junking it. We authenticate transactional pools to enforcement by default and watch the per-provider signals so a rule change does not turn into silently failed logins.

07

Should we measure open rate on our OTP and reset emails?

No — open rate is the wrong metric for transactional mail, and Apple Mail Privacy Protection makes it meaningless anyway. The numbers that predict a working login are end-to-end delivery latency, per-provider acceptance, and bounce rate, all of which we report per transactional pool. If you are migrating from a marketing-oriented platform that led with opens, we map your reporting onto the signals that actually matter for messages a user is waiting on.

08

What does moving off Amazon SES actually save us?

Rarely the per-message rate, which SES wins at ten cents per thousand. The saving is operational: SES leaves IP warmup, DMARC parsing, blocklist monitoring, and reputation management to your team, charges separately for a dedicated IP and the Virtual Deliverability Manager, and gates fast human help behind Business Support pricing. Teams move when the engineering time, the add-ons, and the cost of one throttled launch add up past a managed plan that includes the warmup, monitoring, and an on-call engineer in the base price.

Ready to talk

Schedule a 45-minute architecture call with an engineer.

No salesperson, no commission, no qualification rounds. Tell us what you are trying to do, we tell you whether we are a fit, and you walk away with a recommendation either way.

Phone +43 1 205 11 80 Mon–Fri · 9–18 CET
Email [email protected] Avg response 4h business
Office Fleischmarkt 1, 1010 Wien By appointment