Professional email infrastructure separates transactional from marketing streams, uses dedicated domains with proper authentication (SPF, DKIM, DMARC), implements appropriate IP strategy (shared for low volume, dedicated for 50K+/month), and monitors reputation continuously. The architecture depends on volume: under 50K/month use a managed ESP on shared IPs, 50K-500K use a managed ESP with dedicated IPs, above 500K consider self-hosted MTAs or hybrid architectures.
Email Infrastructure Architecture: The Complete Guide
What Email Infrastructure Actually Means
Email infrastructure is everything between "click send" and "message arrives in inbox." It's the plumbing. Most businesses never think about it until something breaks.
Good infrastructure makes email predictable. Bad infrastructure makes every campaign a gamble.
The Three Layers
Layer 1: Sending Infrastructure
This is your MTA (mail transfer agent) or ESP — the system that actually transmits email.
Managed ESP options:
- Transactional: Postmark, SendGrid, Mailgun, AWS SES, Resend
- Marketing: Klaviyo, ActiveCampaign, Mailchimp, Brevo
- Cold outreach: Instantly, Smartlead, Lemlist
Self-hosted MTA options (full comparison):
- Mailcow: Docker-based, full-featured, includes web UI (setup guide)
- Postal: Open-source Postmark alternative, web tracking UI
- Postfix: Linux standard, maximum flexibility, most complex
- KumoMTA: High-volume, Rust-based, modern architecture
Layer 2: DNS and Authentication
Your domain's DNS records tell the world how to handle your email:
- MX records: Where to receive incoming email
- SPF: Which servers can send for your domain
- DKIM: Cryptographic signatures proving message integrity
- DMARC: Policy for handling authentication failures
- PTR: Reverse DNS matching your sending IP to your hostname
This layer is where most infrastructure fails. Missing or misconfigured DNS records silently destroy deliverability. See our complete DNS configuration guide and authentication guide for setup details.
Layer 3: Reputation and Monitoring
Ongoing infrastructure health:
- Domain reputation: Tracked by Gmail (Postmaster Tools), Outlook (SNDS)
- IP reputation: Clean or dirty, affects all email from that IP
- Blacklist status: Checked by receiving servers in real-time
- Bounce handling: Removing invalid addresses before they damage reputation
- Complaint handling: Processing spam reports, maintaining unsubscribe compliance
Architecture Patterns by Volume
Under 10K emails/month
Your App/Platform → Managed ESP (shared IPs) → Recipients
SendGrid Free / Brevo Free / Resend Free
- Shared IPs are pre-warmed
- No dedicated IP needed (not enough volume to warm one)
- One domain, basic SPF/DKIM/DMARC
- Monitor with Google Postmaster Tools
10K-50K emails/month
Marketing Platform → Marketing ESP (shared IPs) → Recipients
Klaviyo / Mailchimp / ActiveCampaign
Your App → Transactional ESP (shared IPs) → Recipients
Postmark / SendGrid / Resend
- Separate transactional from marketing — use different services
- Shared IPs still appropriate
- Subdomain strategy:
mail.domain.comfor transactional - Authentication on both domains/subdomains
50K-500K emails/month
Marketing → Marketing ESP (dedicated IP) → Recipients
Klaviyo / ActiveCampaign + dedicated IP
Transactional → Transactional ESP → Recipients
Postmark (dedicated infrastructure) / SendGrid Pro
Cold Outreach → Separate domains + sequencer → Recipients
Instantly / Smartlead (never from primary domain)
- Dedicated IPs for marketing (requires warmup)
- Postmark for transactional (inherently separated)
- Cold email on completely separate domains — never risk primary domain
- Full monitoring stack: Postmaster Tools + SNDS + blacklist monitoring
500K+ emails/month
Marketing → Self-hosted MTA or ESP (multiple dedicated IPs) → Recipients
Mailcow / KumoMTA / SendGrid Enterprise
Transactional → Dedicated transactional service → Recipients
Postmark / AWS SES
Cold Outreach → Isolated infrastructure → Recipients
Separate domains, separate IPs, separate everything
- Self-hosted MTA saves $2,000-4,000+/year at this volume
- Multiple IP pools for different content types
- IP rotation for high-volume marketing
- Dedicated ops/monitoring for each stream
Stream Separation: The Most Important Decision
The single most impactful architecture decision: separate your email streams.
| Stream | Purpose | Risk Profile | Infrastructure |
|---|---|---|---|
| Transactional | Password resets, receipts, alerts | Must deliver, low risk | Dedicated service (Postmark) |
| Marketing | Campaigns, newsletters, promotions | Variable engagement, higher risk | ESP with dedicated IP |
| Lifecycle | Welcome sequences, re-engagement | Medium risk | Can share with marketing or separate |
| Cold outreach | Prospecting, sales emails | Highest risk | Completely separate domains + IPs |
Why separation matters: If your marketing campaign triggers spam complaints, those complaints affect the IP reputation. If your transactional email shares that IP, your password reset emails start going to spam. Your users can't log in. Your product is "broken."
Postmark exists specifically because of this problem — they refuse marketing email so their transactional infrastructure stays clean.
Domain Strategy
Single Domain (Simple)
yourdomain.com → All email
Acceptable for low volume. All reputation concentrated on one domain — risky at scale.
Subdomain Strategy (Recommended)
yourdomain.com → Employee email (Google Workspace)
marketing.yourdomain.com → Marketing campaigns
mail.yourdomain.com → Transactional email
support.yourdomain.com → Helpdesk / support
Isolates reputation by stream. If marketing reputation drops, transactional isn't affected.
Separate Domain Strategy (Cold Email)
yourdomain.com → Primary brand (never cold email from this)
yourdomain-mail.com → Cold outreach domain 1
getyourdomain.com → Cold outreach domain 2
Cold email domains are disposable. Your primary brand domain is not.
Practitioner note: I've seen a SaaS company's transactional email go to spam because their marketing team sent a Black Friday blast to their entire list — including 40% unengaged contacts. The shared IP took a reputation hit that affected password resets for 3 weeks. This is completely preventable with stream separation.
Practitioner note: The cheapest production-grade architecture I recommend: Postmark for transactional ($15/month) + self-hosted Mailcow for marketing ($5/month VPS). Total: $20/month for fully separated, authenticated, monitored email infrastructure.
Practitioner note: "But our volume is too low for dedicated IPs" is not an excuse to skip stream separation. Use different ESP accounts or services for each stream, even on shared IPs. The reputation isolation still helps.
If you want your email infrastructure designed correctly from the start, schedule a consultation — I architect sending systems for businesses that can't afford to get this wrong.
Sources
- Google: Email Sender Guidelines
- RFC 5321: Simple Mail Transfer Protocol
- Postmark: Why We Separate Transactional Email
v1.0 · March 2026
Frequently Asked Questions
What does email infrastructure include?
The complete sending stack: MTA (mail transfer agent) or ESP, SMTP relay configuration, DNS records (MX, SPF, DKIM, DMARC, PTR), IP addresses (shared or dedicated), domain strategy (subdomains for different streams), monitoring tools, and bounce/complaint handling systems.
Do I need dedicated IPs?
At under 50K emails/month, shared IPs are fine — you don't have enough volume to warm a dedicated IP properly. At 50K-100K/month, consider dedicated IPs. Above 100K/month, dedicated IPs give you full control over your reputation.
Should transactional and marketing email be on the same infrastructure?
No. Separate them. A bad marketing campaign (high complaints, low engagement) on shared infrastructure will delay or spam-filter your transactional email (password resets, receipts). Use different sending services, domains, or at minimum different IP pools.
What MTA options are there for self-hosting?
Postfix (most common, Linux standard), KumoMTA (high-volume, Rust-based, modern), PowerMTA (commercial, enterprise), Halon (commercial, scriptable), MailerQ (commercial, high-performance). For most self-hosted setups, packaged solutions like Mailcow (Postfix + Dovecot + UI) are easier than bare Postfix.
How do I choose between managed ESP and self-hosted?
Managed ESP (SendGrid, Mailgun) if: you want simplicity, your volume is under 200K/month, and you have budget. Self-hosted if: you want cost control at high volume, need full infrastructure ownership, or manage multiple client domains. Hybrid (self-hosted for marketing + Postmark for transactional) is often optimal.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.