Michael Mines / war stories

Email from a young domain

Happened July 8, 2026

Transactional email (magic links, receipts, lifecycle nudges) from a domain registered weeks ago starts life with negative trust. Two lessons from getting those emails to actually arrive, both now enforced in the shared email layer every product uses:

1. HTML-only mail from a young domain lands in spam. The first sends were beautiful branded HTML with no plain-text part. Spam filters read that combination (new domain, HTML-only, links inside) as a phish silhouette. The fix is structural: the send helper generates a plain-text part from the HTML on every send, automatically, so no future email can ship without one. Not a guideline in a doc. A code path that cannot be skipped.

2. The magic link cannot depend on the email arriving. Passwordless sign-in that fails closed on email delivery locks paying customers out. So the sign-in flow returns a uniform response whether or not the address matches a subscriber (no enumeration), the token carries a 15-minute expiry signed into its body (a leaked or old link dies on its own), and a member whose cookies are cleared always has a path back in that starts from the sales page hero. Deliverability problems then cost seconds of annoyance, not accounts.

Supporting cast, all boring and all mandatory: SPF, DKIM, verified sending domain before the first real send, a physical mailing address in the footer of anything lifecycle-shaped, and send domains warmed before volume.

The pattern under both lessons: deliverability is not a marketing concern, it is an auth concern. If sign-in rides on email, email infrastructure is security infrastructure.