Email Infrastructure for SaaS in DACH
Sending transactional emails GDPR-compliant. Postmark, Resend, AWS SES or self-hosted compared. SPF, DKIM, DMARC explained.
Why email infrastructure is underestimated
Every SaaS application sends emails: registration confirmations, password resets, notifications, invoices. If these emails don't arrive, you lose customers. If they land in spam, you lose trust. And if they're not sent GDPR-compliant, you risk fines.
Yet many teams treat email as an afterthought. "We'll just use Gmail" is not a plan for a SaaS product.
20%
Land in spam
Without proper authentication
SPF+DKIM+DMARC
Required since 2024
Google & Yahoo requirements
99.5%
Delivery rate target
For transactional emails
Transactional vs. marketing emails
Important distinction:
Transactional emails (this article):
- Triggered by a user action
- Password reset, order confirmation, notification
- Must arrive immediately and reliably
- No double opt-in needed (legitimate interest)
Marketing emails (different topic):
- Newsletters, promotions, campaigns
- Double opt-in mandatory in Germany
- Unsubscribe link mandatory
- Different tools (ConvertKit, Mailchimp, Brevo)
The candidates
AWS SES (Simple Email Service)
Price: $0.10 per 1,000 emails (extremely cheap) Region: eu-central-1 (Frankfurt) available
Strengths:
- Cheapest provider at volume
- Frankfurt region for GDPR
- High delivery rates with correct configuration
- Complete API (SMTP + REST)
Weaknesses:
- Sandbox mode initially (must be unlocked)
- No dashboard for email analytics
- US company (CLOUD Act)
- Complex configuration (IAM, SES verification, SNS)
Postmark
Price: From $15/month for 10,000 emails Server: EU option available
Strengths:
- Best delivery rates in the industry (99.8%+)
- Strict separation: transactional emails only
- Excellent dashboard (open rates, bounce tracking)
- Fastest delivery (avg. under 1 second)
Weaknesses:
- More expensive than SES
- US company
- No marketing email support (by design)
Resend
Price: Free tier (100 emails/day), then from $20/month Server: Global
Strengths:
- Most modern developer experience
- React-based email templates (react-email)
- TypeScript SDK, excellent docs
- Free tier for startups
Weaknesses:
- Young company (since 2023)
- US company
- No dedicated EU region (yet)
Self-Hosted (Nodemailer + SMTP)
Price: Server costs only Server: Own server
Strengths:
- Full control over data
- Maximum GDPR compliance
- No dependency on third parties
Weaknesses:
- IP reputation must be built from scratch
- Blacklist management
- SPF/DKIM/DMARC self-configured
- Bounce handling self-implemented
- Poor delivery rates initially
The comparison
| Criterion | AWS SES | Postmark | Resend | Self-Hosted |
|---|---|---|---|---|
| Price (10k emails/mo) | ~€1 | €15 | €20 | €0 (server) |
| Delivery rate | 98%+ | 99.8%+ | 98%+ | 90-99% |
| GDPR | EU region | DPA available | DPA available | Full control |
| Setup effort | Medium | Low | Low | High |
| Templates | None | MJML | React Email | Custom |
| Analytics | Minimal | Excellent | Good | None |
Cost per 10,000 emails/month
SPF, DKIM, DMARC: The mandatory configuration
Since February 2024, Google and Yahoo reject emails without proper authentication. This is not a recommendation, it's a requirement.
SPF (Sender Policy Framework)
Defines which servers are allowed to send emails on behalf of your domain.
DKIM (DomainKeys Identified Mail)
Cryptographically signs each email. The recipient can verify the email wasn't tampered with.
DMARC (Domain-based Message Authentication)
Tells recipients what to do with emails that fail SPF/DKIM checks.
Setting up email authentication
Configure SPF
TXT record in DNS: which servers may send?
List all sender services (SES, Postmark, etc.)
Enable DKIM
Cryptographic signature per email
Generate key pair, add public key as DNS record
Set DMARC
Define policy: reject, quarantine, or none
Start with p=none, switch to quarantine after monitoring
Monitor
Evaluate DMARC reports, track delivery rates
Tools: dmarcian.com, postmarkapp.com/dmarc
GDPR requirements for email sending
Data Processing Agreement (DPA)
A DPA must be signed with every email provider. AWS, Postmark, and Resend offer standard DPAs.
Data minimization
Only send necessary data. No complete customer data in email bodies when a link to the platform suffices.
Encryption
TLS for transmission is standard. For highly sensitive emails (healthcare, finance), consider S/MIME or PGP.
Our recommendation
For most DACH SaaS
Do
- AWS SES (Frankfurt) for sending
- Nodemailer as SMTP client in the backend
- React Email or MJML for templates
- DMARC monitoring from the start
Avoid
- Don't use Gmail/Outlook as sender
- Don't launch without SPF/DKIM/DMARC
- Don't mix marketing and transactional emails
For startups (under 10,000 emails/month): Resend free tier to start, then evaluate.
For growing SaaS (10,000-100,000 emails/month): AWS SES Frankfurt. Cheapest option with EU region.
For maximum deliverability: Postmark. Costs more, but 99.8%+ delivery rate justifies the price when every email counts.
Conclusion
Email infrastructure isn't a glamorous topic, but one that determines trust and conversion. Invest an hour in SPF/DKIM/DMARC and choose a provider with an EU region. Your delivery rates and your data protection officer will thank you.
Related Topics
We're hiring Senior Engineers
100% Remote, DACH