Transactional vs. Marketing Email — Architecture, Providers, Legal Separation
Why this separation matters
A password reset that lands in the spam folder is a support ticket. A newsletter that lands in the spam folder is wasted budget. If both go through the same sending path, one can drag the other down — and in the worst case, the receiving provider blocks the entire domain. That is why the industry has, for years, drawn a hard line between transactional mail and marketing mail.
The split is not just a sending rule. It is simultaneously a legal boundary (GDPR, ePrivacy/UWG), an architectural decision (which provider class, which subdomain), and a question of email deliverability. This article walks through what separates the two classes, which providers belong to which bucket, what a clean setup looks like, and where the typical mistakes hide.
The two classes of mail
At first glance, both are just emails. Functionally they are two different worlds.
Transactional mail — triggered by the recipient
A transactional mail is the direct response to an action the recipient took: signup, order, password reset, booking confirmation, shipping update, 2FA code, invoice. It is 1:1, expected, time-critical, and contains no advertising. Volume per recipient: usually one to a handful — but they have to arrive immediately and reliably.
Profile:
- Trigger: user action or system event
- Target latency: seconds, at most a few minutes
- Content: purely functional — confirmation, status, code, receipt
- Legal basis: contract performance (GDPR Art. 6(1)(b))
- Expected delivery rate: > 99%
Marketing mail — initiated by the sender
Marketing mail goes out because the sender wants to say something: newsletter, offers, re-engagement campaigns, lifecycle sequences, abandoned-cart reminders, birthday coupons. It is 1:n, unsolicited in the strict sense (even when the recipient opted in), and not minute-critical. Volume: hundreds to millions per send.
Profile:
- Trigger: marketing plan, segment trigger, lifecycle step
- Target latency: hours to days is acceptable
- Content: promotional, editorial, relationship-building
- Legal basis: explicit consent (opt-in) — see below
- Expected delivery rate: 95–98% is already considered solid
The break between the two classes is not gradual. An order confirmation with “Check out our bestsellers” at the bottom is, legally and technically, a marketing mail in a transactional wrapper — and breaks the clean separation.
Why the separation is enforced technically
Reputation at receiving providers (Gmail, Outlook, Yahoo, Apple) is measured per subdomain and per IP. Providers track bounce rate, spam complaints, engagement (opens, clicks, delete-without-read), and authentication (SPF/DKIM/DMARC).
Marketing volume naturally produces higher complaint rates — even with clean lists. 0.1% spam complaints is the threshold; without active list hygiene, newsletters cross that line quickly. If newsletters and password resets go through the same subdomain, the newsletter complaint rate drags down the entire domain’s reputation — and suddenly the password reset is in spam too.
Rule of thumb
Always split transactional and marketing onto separate subdomains: mail.your-domain.com for transactional, news.your-domain.com (or marketing.) for newsletters. That isolates reputation and lets you respond surgically when something goes wrong.
Provider classes — who does what
The provider landscape splits cleanly. The classes have no official names, but the market uses them consistently.
Class 1 — Transactional-first providers
Specialized in reliable 1:1 delivery. API-centric, fast delivery, dedicated IP pools for transactional, mature webhook infrastructure (bounce, open, click) for application integration.
Typical names: Postmark, Amazon SES, Mailgun (originally), SendGrid Transactional Tier, Resend. Postmark is the gold standard for strict separation — they will suspend accounts that send marketing through their transactional servers.
Class 2 — Marketing-first providers
Built for newsletters, segmentation, templates, A/B tests, and reporting. Drag-and-drop editors, list management, double-opt-in workflows, automation flows.
Typical names: Brevo (formerly Sendinblue), Mailchimp, GetResponse, ActiveCampaign, Klaviyo (e-commerce-focused), HubSpot Marketing Hub, CleverReach (German market).
Class 3 — Hybrids
Offer both, but with separate sending streams, separate IP pools, and separate billing. SendGrid, Mailgun, Brevo, and Mailjet sit here. Upside: one contract, one dashboard. Downside: separation must be configured cleanly by you — it is not enforced.
| Provider | Class | Strength | Weakness | |---|---|---|---| | Postmark | Transactional | Delivery rate, sub-account isolation | No marketing tooling | | Amazon SES | Transactional | Very cheap, highly scalable | No UI, lots of glue code | | Resend | Transactional | Developer DX, modern | Young, smaller track record | | SendGrid | Hybrid | Wide feature set | Reputation tied to IP pool | | Brevo | Hybrid | EU hosting, GDPR-friendly | UI juggles many channels at once | | Mailchimp | Marketing | Templates, segmentation | Transactional tier (Mandrill) is an add-on | | Klaviyo | Marketing (e-commerce) | Shopify integration, lifecycle | Expensive at mid-volume | | ActiveCampaign | Marketing | Automation flows | Steeper learning curve |
The legal separation — GDPR, ePrivacy, anti-spam law
In the EU, the separation is not just best practice — it is the law. Three regimes interlock:
GDPR — legal basis for processing
Every email is a processing of personal data and needs a legal basis (Art. 6(1) GDPR).
- Transactional: usually contract performance (lit. b) — you must send the order confirmation, otherwise the contract is incomplete. No consent required.
- Marketing: in almost all cases consent (lit. a) — the recipient must actively agree to receive promotional mail.
Legitimate interest (lit. f) as a marketing basis is a narrow exception (in Germany: § 7(3) UWG — existing customer relationship, similar products, easy opt-out in every mail). In practice: clean only in B2B contexts or with existing customers — and even there it is thin ice.
ePrivacy / TTDSG — tracking and pixels
Tracking pixels, open tracking, and click tracking in mails fall under § 25 TTDSG (Germany) or the ePrivacy Directive across the EU. They require consent as soon as information is stored on or read from the end device — and a tracking pixel or rewritten click link generally does that.
Consequence: if your marketing provider has tracking enabled by default (which Mailchimp, Klaviyo, Brevo & co. do), you need explicit tracking consent in your opt-in form — or you turn tracking off.
Anti-spam law (UWG / CAN-SPAM equivalents)
§ 7 UWG in Germany prohibits unsolicited promotional mail. Sending without consent risks cease-and-desist letters with claim values of €1,500–€10,000. The burden of proof for the opt-in lies on the sender — keyword double opt-in with logfile: confirmation click, timestamp, IP address, source form. Without that record, every newsletter is legally exposed.
Soft opt-in (§ 7(3) UWG)
Existing customers may receive marketing without explicit consent under tight conditions: existing purchase, similar products only, opt-out notice in every mail, notice given at the original data collection. All four conditions must be met — otherwise the exception does not apply.
Clean architecture — what a setup looks like
A production setup for a website with login, orders, and a newsletter typically looks like this:
Domains:
mail.example.com— transactional, dedicated subdomain with its own SPF/DKIM/DMARC recordsnews.example.com— marketing, separate subdomain with its own records
Providers:
- Transactional via Postmark, SES, or Resend, called directly from the application via API
- Marketing via Brevo, Mailchimp, or Klaviyo, with list/segment management living there
Data flows:
- Application → transactional API: just recipient, template ID, variables
- Application → marketing provider via API/webhook: sync subscribers, maintain tags/segments
- Marketing provider → recipient: send happens out of the marketing provider directly
Consent:
- Newsletter signup: double opt-in with explicit tracking consent in the form
- Logfile with timestamp, IP, source form, confirmation click — keep for 3 years
Authentication:
- SPF, DKIM, DMARC for both subdomains separately
- DMARC starts at
p=nonefor monitoring, then moves top=quarantineandp=reject - BIMI for
mail.(brand logo in supporting clients) — optional, but useful for trust-relevant mail
Common mistakes
Newsletter and transactional on the same subdomain. A spam wave on the newsletter drags the password reset down with it. Fix: subdomain split from day one.
“We use our Mailchimp for confirmations too — saves a contract.” Mailchimp is not built for low-latency 1:1 mail. Multi-minute latency is normal, sub-hour spikes happen. Frustrating for order confirmations, dangerous for 2FA codes.
Tracking pixels without consent. Default-enabled open and click tracking without explicit consent in the signup form is an ePrivacy violation. Either get consent or disable tracking.
Promotional block under the order confirmation. “You might also like” under a transactional confirmation legally turns the mail into marketing — and now needs consent. Separate or remove.
No-reply addresses for transactional. noreply@example.com as the sender blocks legitimate replies (order questions, address corrections). Better: a real, monitored address.
Single opt-in for newsletters. Without a confirmation click, you have no defensible proof. Burden of proof on the sender — and without proof, you lose.
Worked example — migrating a shop setup
Starting point: Shopify shop, order confirmations sent directly from Shopify, newsletter via Mailchimp, all using example.com as the sender. Symptoms: Gmail delivery rate drops for 24–48 hours after each newsletter send, customers report order confirmations landing in spam.
Migration in three steps:
- Subdomain split. Set up
mail.example.comfor Shopify confirmations with new SPF/DKIM/DMARC records and configure it as the Shopify sender. Set upnews.example.comfor Mailchimp, register it there as Authenticated Domain. - Warmup. Both subdomains have zero reputation. First two weeks: low volume, slow ramp. Mailchimp and SES publish warmup schedules.
- Clean up tracking. Add an explicit tracking notice and double-opt-in to the signup form. Audit the existing list — anyone without a clean opt-in record goes into a re-permission campaign or gets dropped.
Result after 4 weeks: order-confirmation delivery rate at Gmail stable above 99%, newsletter open rate up from 18% to 27% (cleaner list), no more spam fallout from sends.
Conclusion
Splitting transactional and marketing is not a technical detail — it is fundamental. It protects your most important mails (login codes, order confirmations) from being dragged down by the riskier marketing stream. It is also the simplest way to map GDPR and ePrivacy cleanly — separate legal bases need separate technical paths.
If you are setting up today: two subdomains, two provider classes, two consent logics, one shared reporting view on the marketing side. Doing it from the start avoids painful migrations later — and gives you a system that keeps working at ten or a hundred times the volume.
If you already have a mixed setup: subdomain split is the cheapest lever with the biggest effect. Combined with proper SPF/DKIM/DMARC authentication, it is a two-to-four-week project — and one rarely regretted.
Entdecke mehr
Marketing
Corporate discipline that creates demand, wins customers and maintains relationships — from brand building and content through paid channels and SEO to CRM and loyalty.
LexikonGDPR-compliant email marketing — consent, double opt-in, logging
When you may send emails, what double opt-in, opt-in logging and soft opt-in mean — and what a bought list actually risks.
NewsApple Mail and Gmail overwrite the preheader with AI summaries
If you carefully craft preheaders, you no longer see them in the Apple inbox. What senders need to know and how to write AI-readable mails.