What "transactional email" means and why deliverability matters
Transactional email is any message triggered by a user action: password resets, one-time passwords (OTPs), order confirmations, receipts, shipping updates, and account alerts. Unlike marketing mail, these messages are expected, time-sensitive, and often security-critical. If an OTP lands in spam — or never arrives — a customer cannot log in, complete a checkout, or recover an account.
Deliverability is the probability that a sent message reaches the inbox rather than the spam folder or a silent block. It is not controlled by your app code; it is controlled by your sending domain's reputation and authentication. This guide walks through the concrete steps to get transactional mail consistently delivered, with examples that work for any provider and are easy to operate from a Saudi, in-Kingdom setup.
Step 1: Use a dedicated sending subdomain
Never send transactional mail from your raw root domain (example.sa) if that domain also carries staff mailboxes and marketing campaigns. Reputation is tracked per domain, and a marketing complaint should not poison your OTP delivery.
Use a dedicated subdomain such as:
mail.example.saornotify.example.safor transactional traffic- A separate subdomain (e.g.
news.example.sa) for bulk marketing
This isolates reputation so a marketing problem never blocks a password reset. Point your application's SMTP credentials at this subdomain's identity.
Step 2: Configure SPF correctly
SPF (Sender Policy Framework) is a DNS TXT record that lists which servers are allowed to send mail for your domain. Publish it on the sending subdomain.
notify.example.sa. TXT "v=spf1 include:_spf.alskyline.com -all"
Rules that matter:
- There must be exactly one SPF record per domain. Multiple
v=spf1records break SPF entirely. - Use
include:for each sending service. Replace_spf.alskyline.comwith the include value your provider gives you. - End with
-all(hard fail) once you are confident the record is complete; use~all(soft fail) only during testing. - SPF must stay under 10 DNS lookups, or it returns
permerrorand fails. Flatten or consolidate includes if you exceed this.
Step 3: Configure DKIM
DKIM (DomainKeys Identified Mail) cryptographically signs each message so receivers can verify it was not altered and genuinely came from your domain. Your provider generates a key pair and gives you a public key to publish — usually as a CNAME pointing to their key, or a TXT record.
A typical CNAME-delegated DKIM record:
s1._domainkey.notify.example.sa. CNAME s1.dkim.alskyline.com.
Use the selector (s1 above) and target exactly as your provider specifies. After publishing, send a test message and confirm the header shows dkim=pass. Rotate keys periodically and keep the selector your provider issues.
Step 4: Publish a DMARC policy and require alignment
DMARC ties SPF and DKIM to the visible From: address and tells receivers what to do on failure. Publish a TXT record at _dmarc on your organizational domain:
_dmarc.example.sa. TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.sa; adkim=s; aspf=s"
- Start at
p=noneto monitor without affecting delivery. rua=sends you daily aggregate reports (zipped XML) showing which sources pass and fail.- Read reports for two to four weeks, fix any legitimate source that fails, then tighten to
p=quarantineand eventuallyp=reject.
Alignment is the part teams miss. DMARC passes only when the domain that passes SPF or DKIM matches the From: domain. If your From: is @example.sa but you send via a provider's own domain without aligning DKIM, DMARC fails even though SPF/DKIM individually pass. Sign with your own domain's DKIM key and use a matching return-path. Use adkim=s/aspf=s for strict alignment once verified.
Step 5: Meet the 2024 Gmail and Yahoo sender rules
Since February 2024, Gmail and Yahoo enforce baseline requirements. Even below the bulk threshold, following them improves placement.
| Requirement | Detail |
|---|---|
| SPF and DKIM | Both must pass and align with From: |
| DMARC | At least p=none published on the From domain |
| Spam complaint rate | Keep below 0.3%; aim for under 0.1% |
| One-click unsubscribe | Required for bulk/marketing mail (RFC 8058 List-Unsubscribe + List-Unsubscribe-Post) |
| Valid PTR / forward-confirmed reverse DNS | Sending IP must have matching reverse DNS |
The 5,000-messages-per-day-to-Gmail threshold is when bulk-sender enforcement kicks in. Pure transactional senders are usually well below it, but authentication is required regardless. Note that one-click unsubscribe is for marketing/subscribed mail — do not add unsubscribe links to OTPs or security alerts.
Step 6: Warm up the sending domain and IP
A brand-new domain or IP has no reputation. Sending a sudden burst looks like a spam attack. Ramp volume gradually over one to two weeks — start with a few hundred messages per day to your most engaged recipients, then roughly double daily while watching bounce and complaint rates. On shared sending infrastructure, warm-up is mostly handled for you, but a new subdomain identity still benefits from a gradual start.
Step 7: Get the content and headers right
- Set a clear, consistent
From:name and a real, monitored reply-to address. - Keep a healthy text-to-image ratio; avoid all-image emails and link shorteners.
- Send from a real subdomain, not a no-reply address on a misconfigured domain.
- Include a plain-text part alongside HTML (multipart/alternative).
- Keep OTP and reset emails short, with the code or link clearly visible.
Step 8: Monitor and respond
Deliverability is ongoing, not one-time. Enroll in Google Postmaster Tools and Yahoo Sender Hub to watch your domain reputation, spam rate, and authentication results. Read your DMARC aggregate reports weekly. Set an alert if bounce or complaint rates rise, and investigate immediately — reputation recovers slowly once damaged. Remove hard-bounced addresses promptly so you do not keep hitting dead mailboxes.
In-Kingdom delivery and compliance
For Saudi and GCC businesses, where your mail and customer data are stored matters. Skyline Cloud runs business email hosting and the underlying cloud infrastructure inside the Kingdom, aligned with PDPL, NCA, and SDAIA expectations, with local Arabic support to help you configure SPF, DKIM, and DMARC correctly the first time. For deeper background on SMTP and authentication in the Saudi context, see our transactional email and SMTP hub.
Summary
Getting transactional email into the inbox comes down to a repeatable foundation: a dedicated subdomain, correct SPF, DKIM signing with your own domain, DMARC with alignment, a gradual warm-up, clean content, and continuous monitoring. Set it up once, watch the reports, and your OTPs and receipts will arrive reliably.
Ready to send transactional mail from in-Kingdom infrastructure with local support? Create your Skyline Cloud account and get your sending domain authenticated today.
Comments
0 total · 0 threads