Considered Postmark?
Here is where it stops scaling.

The Postmark product is genuinely good at one thing: getting a single transactional message to a single recipient inbox as fast as possible. Independent measurements in 2025 consistently put median delivery time around 10 seconds — fast enough that a user staring at a "check your email" screen for a verification code sees the message arrive within their attention window. SendGrid's median on equivalent traffic is closer to 30 seconds. Amazon SES varies widely. Mailgun sits in the middle. For password-reset and 2FA traffic where each second of delay produces measurable abandonment, Postmark's speed is a real product advantage and not marketing noise.

The speed comes from a deliberate architectural decision that also defines the product's limits. Postmark operates two completely separated infrastructures internally: one for transactional message streams, one for broadcast streams (added in 2024 after years of explicitly refusing to handle bulk traffic). The separation prevents a marketing campaign from contaminating the IP reputation that the transactional service depends on. It also means Postmark cannot serve as a single ESP for senders whose volume is meaningfully split between transactional and marketing — which is most senders past the seed stage.

Pricing in 2026 is plan-based with three production tiers. Basic at $15 per month includes 10,000 emails and charges $1.80 per 1,000 emails over that allowance. Pro at $16.50 per month includes the same 10,000 base but reduces overage to $1.30 per 1,000. Platform at $18 per month maintains the 10,000 base and drops overage to $1.20 per 1,000. There is no annual discount. Postmark has indicated interest in annual plans for years; none have appeared. The free Developer tier provides 100 emails per month with no overage capability — sending stops at the limit. Dedicated IPs cost $50 per month additional and require a minimum send volume of 300,000 emails per month on the Pro or Platform tier.

The economics matter because Postmark's promotional pricing is misleading at the volume tiers where most production SaaS operates. A startup billing the Basic plan at $15 per month and sending 50,000 transactional emails actually pays $15 + (40 × $1.80) = $87 per month, not $15. The same workload on the Pro plan costs $16.50 + (40 × $1.30) = $68.50 — Pro is cheaper than Basic above approximately 13,000 messages per month. At 100K messages the comparison is Basic at $177, Pro at $133.50, Platform at $126. Above 300K monthly messages, Postmark customers typically pay $400-$600 per month before dedicated IP add-on, comparable in absolute terms to mid-tier managed PowerMTA but without the data-residency or transport-control properties that mid-tier managed PowerMTA delivers.

The ownership change in 2022 is consequential and underdiscussed in public Postmark reviews. ActiveCampaign — a Chicago-headquartered marketing automation company with strong US data-residency posture — now owns the Postmark product. ActiveCampaign serves over 180,000 paying customers globally and operates infrastructure under standard US corporate jurisdiction. For EU-based customers concerned about Schrems II, FISA §702, the US CLOUD Act, or the data-processor selection requirements of GDPR Article 28, the Postmark service is a US-domiciled service operated by a US-domiciled processor on US-based infrastructure. The Schrems II analysis is straightforward: data-in-transit and data-at-rest both transit US jurisdiction, and the standard contractual clauses Postmark offers do not change the underlying access regime. The EU Court of Justice's August 2025 reaffirmation of the Schrems II framework, in Latombe v European Commission, treated the EU-US Data Privacy Framework as adequate for routine transfers while explicitly preserving the case-by-case assessment requirement for sensitive data — which means the transactional payloads most senders care about (account credentials, financial confirmations, healthcare receipts, legal notifications) require the case-by-case analysis Postmark cannot satisfy from US infrastructure.

Profile one: US-domiciled SaaS with sub-100K monthly transactional volume, no marketing email pipeline, and no EU-customer data residency requirements. A Delaware-incorporated B2B SaaS at $1M-$10M ARR sending password resets, invoice receipts and admin notifications to a US customer base. Volume around 30K-80K per month. Postmark's $35-$80 per month at this volume is operationally cheaper than provisioning a dedicated managed-MTA relationship. The deliverability margin on critical transactional traffic justifies the cost premium versus Amazon SES at equivalent volume. There is no second use case that would force a second ESP. This is Postmark's natural home and any pitch from us into this profile would underperform.

Profile two: Pre-revenue or early-revenue startups that need transactional reliability without engineering investment. A founding team of three people, half of one of them part-time on operations, building a SaaS that needs verification emails to land within 10 seconds because the conversion funnel depends on it. The Basic plan at $15 covers the first 10K. Setup time is roughly 2 hours from signup to first delivered message. The infrastructure overhead of a managed-MTA relationship — even a well-priced one — is not justified at this stage. We typically recommend Postmark or Resend at this size, with the expectation that the stack will be re-evaluated when volume crosses 100K monthly.

Profile three: Engineering teams that need the free DMARC reporting tool. Postmark publishes a free aggregate DMARC report processor at dmarc.postmarkapp.com that is genuinely better than several paid alternatives. Senders using this tool while sending mail through a different ESP is a legitimate configuration that we encourage. The reporting tool does not require a Postmark sending account.

Outside these three profiles, the Postmark fit becomes thinner. EU data-residency requirements eliminate it. Volume above 300K monthly eliminates it on cost grounds. Senders with meaningful marketing traffic alongside transactional need a separate vendor for marketing, and the operational overhead of running two vendors typically exceeds the deliverability premium that Postmark provides on its transactional half. The transactional-only architectural choice that produces Postmark's deliverability is the same choice that makes it the wrong vendor for the majority of post-seed senders.

EU data residency as a procurement requirement. A German fintech subject to BaFin oversight, a French healthcare provider operating under HDS (Hébergeur de Données de Santé) certification requirements, or a Swiss bank operating under FINMA Circular 2018/3 outsourcing rules — none of these can use Postmark for production transactional email regardless of how good its deliverability is. The transactional payload contains personal data within the meaning of GDPR Article 4(1), which means the controller-processor relationship requires a processor that can demonstrate adequate transfer safeguards under GDPR Articles 44-49. Postmark's standard data processing addendum offers Standard Contractual Clauses (the 2021 Commission revision). The SCCs remain legally available but face increasing scrutiny in EU regulator guidance — the European Data Protection Board's Recommendations 01/2020 on supplementary measures, reaffirmed in the EDPB's October 2024 guidelines on the EU-US Data Privacy Framework, require controllers to perform a Transfer Impact Assessment that examines actual access by US authorities under FISA §702 and Executive Order 12333. For transactional payloads containing financial data, health records or authentication credentials, that assessment is difficult to clear with any US-domiciled processor. EU-sovereign infrastructure removes the question entirely.

Mixed transactional and marketing traffic. A B2B SaaS at $5M-$50M ARR typically sends 30%-50% transactional and 50%-70% marketing. The Postmark architecture forces this into two vendors: Postmark for transactional, plus a separate ESP (Mailchimp, Klaviyo, ActiveCampaign itself) for marketing. The operational overhead of running two vendors is real. Two suppression-list reconciliations. Two DMARC alignment workflows. Two billing relationships. Two contracts to renegotiate annually. Two security questionnaires to complete. Our SMTP Relay handles both streams on the same infrastructure with the same authentication and the same operational interface, with proper internal traffic separation that maintains the reputation hygiene Postmark's two-vendor architecture provides. The deliverability gap on the transactional half is real — we will not claim parity with Postmark's median 10-second delivery — but the operational simplification is real too, and most CFOs price the two-vendor overhead at a level that exceeds the deliverability premium.

Volume above 100K monthly with overage exposure. A SaaS billing 500K transactional emails per month on Postmark's Platform plan pays $18 base plus 490 × $1.20 = $606 monthly. Add a dedicated IP at $50 and the bill reaches $656. Our managed SMTP Relay at equivalent volume on dedicated IP is €499 monthly with no per-message overage, no separate IP fee, and EU data residency. The crossover varies with specific volume profiles, but in nearly every cost model above 250K monthly transactional emails, our flat-rate pricing wins on a 12-month TCO basis. Postmark's per-1K overage was designed for transactional senders whose volume scales gradually; in 2026 it punishes any sender whose growth trajectory is non-linear.

Procurement processes requiring sub-processor disclosures. Enterprise procurement, particularly in regulated EU sectors, requires the controller to publish a list of sub-processors and to allow customers a 30-day objection window before adding new ones. Postmark, as a service of ActiveCampaign, has a sub-processor list that includes ActiveCampaign's own infrastructure providers, plus DNS providers, plus analytics services. The list is published. The accuracy of the list at any point in time is the controller's risk; the controller (you) is liable for ensuring it remains current. We operate with a deliberately short sub-processor list — our Ljubljana facility for Slovenia infrastructure, Datacenter Luxembourg for Luxembourg, Verne Global for Iceland — published with the relevant DPA at /legal/dpa/. The list does not change quarterly. Procurement processes that have been burned by sub-processor sprawl in the last decade tend to value this directly.

Scenario A: 15K monthly transactional, no marketing, US sender. Postmark Basic at $15 + (5K × $1.80/1K) = $24 monthly, or $288 annual. BIG BOX SMTP Relay Starter at €99 monthly = €1,188 annual. Postmark wins on absolute cost. Recommendation: stay on Postmark unless the EU-residency requirement or mixed-traffic profile applies. We will not push you to migrate.

Scenario B: 75K monthly transactional, no marketing, EU sender with Schrems II requirement. Postmark Pro at $16.50 + (65K × $1.30/1K) = $101 monthly = $1,212 annual. BIG BOX SMTP Relay Standard at €249 monthly = €2,988 annual. Postmark wins on absolute cost; BIG BOX wins on jurisdictional fit. If your DPO has signed off on the SCC-based transfer and your supervisory authority has not flagged transactional data as sensitive, Postmark remains defensible. If your sector regulator requires EU-only processing (BaFin, ACPR, FINMA, HDS health authorities, AEPD for Spanish public sector), Postmark is not an option and the €1,776 annual premium is what jurisdictional sovereignty costs.

Scenario C: 300K monthly mixed (180K transactional, 120K marketing), Schrems-II-neutral US-EU sender. Postmark Platform at $18 + (170K × $1.20/1K) for the transactional stream = $222 monthly. Marketing requires a second vendor — Mailchimp Essentials at $20K contacts × $135 monthly = $1,620 annual, plus Postmark transactional at $2,664 = $4,284 annual total. BIG BOX SMTP Relay Standard at €399 monthly handles both streams on one configuration = €4,788 annual. Costs converge; operational simplicity goes to BIG BOX. The 12% premium pays for one vendor relationship instead of two, one billing reconciliation, one DPA, one set of authentication records.

Scenario D: 2M monthly transactional, regulated sector, EU sender. Postmark high-volume tier negotiated (typical: $0.40-0.50/1K above 1M = $800-1,000 monthly base) + dedicated IP $50 + SOC 2 evidence on request = $850-1,050 monthly = $10,200-12,600 annual. BIG BOX managed SMTP Relay Enterprise at €1,299 monthly = €15,588 annual. Costs are within 25% before considering Schrems-II compliance. Once the regulated-sector EU-residency requirement is binding, Postmark exits the comparison entirely. The remaining question is the operational fit of our managed service versus running an in-house PowerMTA instance.

For US-domiciled processors handling EU personal data, parts (2) and (3) of the test produce most of the controversy. The US Foreign Intelligence Surveillance Act §702 permits compelled disclosure of non-US-person data held by US providers. Executive Order 14086, signed October 2022, created a Data Protection Review Court for EU complaints but did not modify §702 itself. The European Commission's adequacy decision on the EU-US Data Privacy Framework, issued July 2023, accepted the EO 14086 mechanism as sufficient supplementary safeguard. The EU Court of Justice in Latombe (August 2025) declined to invalidate the DPF but explicitly preserved the controller's obligation to perform a case-by-case Transfer Impact Assessment for sensitive data categories, citing Article 49 derogations as the only fallback if the case-by-case assessment fails.

Transactional email payloads regularly contain data that falls within the case-by-case category. Account verification emails contain authentication credentials. Password-reset emails contain time-limited tokens that grant account access. Healthcare appointment reminders contain medical-context information. Financial transaction confirmations contain account balances and transaction amounts. Each of these categories triggers either GDPR Article 9 (special categories) or sector-specific frameworks (PSD2 for payment data, NIS2 for operational data, HDS for health data) that elevate the assessment burden.

Postmark's standard data processing addendum, in its April 2026 form, includes the 2021 SCCs (Module 2: controller to processor), an EO 14086 reference, and a sub-processor list. It does not include — because Postmark cannot offer it — a guarantee that data will remain on EU infrastructure. The DPA's territorial-scope clause states that data processing occurs in the United States, with optional regional storage available on Enterprise plans subject to availability. The case-by-case TIA for a regulated EU sender using Postmark must address: the FISA §702 access mechanism, the EO 12333 signals-intelligence framework, the practical difficulty of US discovery requests under the Stored Communications Act, and the lack of meaningful redress for non-US data subjects beyond the EO 14086 DPRC mechanism.

Our infrastructure produces a different TIA. The processor is BIG BOX Hosting d.o.o. (Slovenian d.o.o., established 2002, Ljubljana). The infrastructure is hosted across five EU and EU-adjacent jurisdictions: Slovenia (HQ), Luxembourg, Switzerland (Lex FINMA jurisdiction), Iceland (Iceland Data Protection Act 2018, GDPR-aligned), and Sweden. None of these jurisdictions has a CLOUD Act equivalent. None has a FISA §702 equivalent. Switzerland's revised Federal Act on Data Protection (revFADP), effective September 2023, is the most stringent of the five and provides the basis for the FINMA-supervised banking sector procurement criteria that some of our financial clients require. The TIA reduces to: which of the five jurisdictions, and what supplementary contractual measures, suit the specific sector regulator the controller answers to.

This is not the only argument for choosing EU infrastructure. It is, however, the argument that is hardest to dismiss in front of a procurement officer or a sector regulator. Postmark cannot meet it without rebuilding their infrastructure in the EU, which they have not announced plans to do.

Independent measurement of transactional email deliverability is methodologically difficult because the population of receiving domains is heterogeneous, the temporal window matters (Microsoft's May 2025 SmartScreen recalibration changed all baselines), and the metric of interest — inbox versus spam folder placement — depends on receiver-side decisions the sender has no visibility into. The most cited public dataset for 2025-2026 is the EmailToolTester quarterly seedlist study, which seeds known accounts on Gmail, Outlook, Yahoo, AOL plus a few European webmail providers (GMX, ProtonMail) plus a regional mix, then measures placement.

The Q1 2026 measurement places Postmark at 98.1% inbox placement on transactional traffic, against a category median of 89.4%. Our internal measurement using a similar seedlist methodology — methodology disclosed in our trust documentation at /trust/ — places our SMTP Relay at 96.3%-96.8% on transactional traffic depending on the calendar quarter, and 94.1%-95.4% on broadcast traffic. The 1.5-2 point gap on transactional is real and reflects the architectural advantage of Postmark's transactional-only pools.

The gap narrows materially in three conditions. First, when the sender's domain authentication is correctly configured — SPF aligned, DKIM rotating annually, DMARC at p=reject — the receiver-side scoring penalises improperly-authenticated traffic more heavily than it rewards optimal infrastructure. Postmark's reputation cushion matters less for properly-authenticated senders. Second, when the sender is in a sector where receiving domains are predominantly business-grade (B2B SaaS receiving fintech, healthcare, government inboxes), receivers tend to whitelist by sender authentication rather than by IP reputation, neutralising the Postmark IP-pool advantage. Third, when volume is sufficient to justify dedicated IPs — which we provision at any tier and Postmark provisions only above 300K — the sender controls their own reputation independently of the shared pool.

The conditions where Postmark's deliverability advantage is decisive are: low-volume senders who cannot justify dedicated IPs, consumer-facing senders into Gmail/Yahoo/Outlook personal accounts where IP-pool reputation is heavily weighted, time-critical traffic where the 8-second median improvement matters for conversion. The first profile is solved by Postmark's pricing for that band. The second profile is the strongest case for Postmark. The third profile is genuine and we cannot match it.

Phase 1 (week 1): authentication preparation. We provision authentication for the destination infrastructure — DKIM keys (typically 2048-bit RSA, year-month selector), SPF record updates to include both Postmark's spf.mtasv.net and our spf.bigboxhosting.com simultaneously, DMARC alignment preserved at p=reject or p=quarantine depending on the sender's existing posture. The receiving population sees no change during this phase; both vendors remain authorized senders.

Phase 2 (weeks 2-3): parallel sending, low percentage. Application-side routing splits 10% of transactional traffic to our infrastructure while 90% continues through Postmark. The split is implemented in the application or via a smart router (we provide reference implementations for Node.js, Python, Ruby, PHP, Java). We monitor delivery confirmation, bounce categorisation, and open-rate parity across both streams. Any anomaly produces an immediate rollback to 100% Postmark and a root-cause investigation.

Phase 3 (week 4): scale-up. Parallel sending reaches 50%-70% on our infrastructure depending on the Phase 2 metrics. The Postmark account remains active. The suppression list — managed in Postmark and used to prevent re-sending to bounced or unsubscribed addresses — is mirrored to our infrastructure via Postmark's API export. We provide tooling to keep the two suppression lists synchronised during the transition.

Phase 4 (week 5): full cutover. Application traffic moves to 100% BIG BOX. Postmark remains paid for one billing cycle as a hot-standby fallback. The DMARC reporting at p=reject continues to monitor for any unauthorized senders. Aggregate reports during this period are reviewed weekly.

Phase 5 (week 6): decommissioning. Postmark's SPF authorization is removed from the sender's SPF record. The Postmark account is closed at the next billing cycle. The DKIM key Postmark provisioned is left in DNS for 30 additional days against receiver caches, then removed.

Total downtime: zero. Total team time required from the client: approximately 4-8 hours across the six weeks, primarily in the Phase 1 DNS-update window and the Phase 4 cutover. Migration fee: included in the first 12 months of service contract for new customers. We do not charge separately for the migration engineering.

Question one: do you have an EU data residency requirement, either contractual or sector-regulatory? If yes, BIG BOX. Postmark's US infrastructure cannot satisfy this requirement regardless of how its deliverability compares.

Question two: is your traffic exclusively transactional, under 100K monthly, and US-domiciled? If yes, Postmark. The pricing is favourable at this band, the deliverability is best-in-category, and the architecture matches your traffic profile. We will refer you to Postmark and not pretend to compete on this profile.

Question three: is your traffic mixed (transactional plus marketing), or volume above 300K monthly, or in a regulated sector where the sub-processor list and DPA detail matter? If yes, BIG BOX. The two-vendor overhead of Postmark plus a separate marketing ESP, or the per-1K overage compounding at scale, or the sub-processor sprawl of ActiveCampaign's broader stack, makes the BIG BOX flat-rate single-vendor model the cleaner operational fit.

Outside these three scenarios, the choice depends on detail. We are happy to model the specific numbers for your traffic profile in a 30-minute conversation. The conversation is with an engineer who has run Postmark migrations, not a salesperson. We will tell you if Postmark is the right answer for your shape, even though we operate the alternative.