Email infrastructure for publishers.

Email infrastructure for media organisations operates under a different set of constraints than infrastructure for any other vertical we serve. Three of those constraints come up in every intake conversation. First, source protection: editorial teams routinely correspond with sources whose identity is itself the story, and the infrastructure that carries those communications is part of the source-protection chain. Second, the volume profile is unusual: large concentrated bursts of marketing-style traffic for newsletters and editorial alerts, alongside smaller streams of correspondence whose security profile is closer to a law firm than a media company. Third, the regulatory environment combines GDPR with sector-specific press freedom statutes that vary substantially by jurisdiction.

Most email vendors do not differentiate between these constraints. They treat the publisher as a high-volume marketing customer and treat the editorial-side workloads as a smaller but otherwise identical use case. The publisher who accepts that framing typically discovers, around month four of operation, that the architecture they bought handles newsletter sends well and handles source-protected editorial correspondence in a way that creates legal exposure neither party fully thought through during procurement. This page describes how we frame the vertical differently and why our jurisdictional footprint (with Iceland and Sweden materially represented alongside the standard EU options) reflects choices that are oriented to media customer needs rather than retrofitted from a generic offering.

Tele2 Sverige + bulk retention case law. The Tele2 Sverige ruling of December 2016 (CJEU joined cases C-203/15 and C-698/15) reframed the European law on bulk data retention. The court held that EU member states could not require generalised, indiscriminate retention of traffic and location data by communications service providers, on the basis that such retention is incompatible with Articles 7 and 8 and 11 of the EU Charter of Fundamental Rights. The ruling was reaffirmed in subsequent decisions including La Quadrature du Net (2020). For media organisations, the practical consequence is that infrastructure operating under the legal regime of an EU member state that has adopted Tele2-compliant retention rules cannot be compelled to retain bulk metadata about source correspondence in the way that pre-2016 retention regimes had permitted. Sweden's own transposition of the post-Tele2 framework is among the strictest in the EU and is one of the reasons our Stockholm PoP attracts media customers whose source-protection profile is a procurement-level concern.

Iceland Modern Media Initiative. Iceland's Modern Media Initiative, adopted by the Althingi in June 2010, is a parliamentary resolution that directs the Icelandic government to position the country as a jurisdiction with the strongest legal protections for press freedom and whistle-blowing in the world. The resolution led to a series of statutory changes, including reforms to source-protection law, expanded protections against strategic-litigation-against-public-participation suits, and statutory access protections for journalists working with leaked materials. The Icelandic legal regime does not eliminate the obligation to comply with lawful requests, but it raises the bar materially compared to most other jurisdictions for what counts as a lawful request and what evidence the requesting authority must produce. Our Reykjavik PoP attracts a specific subset of media customers whose source-protection workloads benefit from this regime.

German source protection. Germany maintains some of the strongest source-protection statutes in continental Europe through the Pressefreiheit clause of the Basic Law (Grundgesetz Article 5(1)) and the Strafprozeßordnung Article 53(1) which grants journalists a right to refuse testimony about sources. The 2007 Federal Constitutional Court ruling on the Cicero magazine case (1 BvR 538/06 and 1 BvR 2045/06) extended these protections to electronic communications and the seizure of journalists' digital records. For media customers based in Germany or whose primary readership is in the German-speaking market, the legal protection extends to email infrastructure that holds source correspondence on German territory. The infrastructure provider must be prepared to assert these protections against process from non-German authorities, which our Slovenian d.o.o. corporate counterparty does through the Slovenian Ministry of Justice MLAT route.

French source protection. France's Loi du 4 janvier 2010 sur la protection du secret des sources des journalistes provides specific statutory protection for journalistic sources, with criminal penalties for breach. The protection extends to journalists' professional communications, including email correspondence with sources. The 2010 law was strengthened by the Loi du 14 novembre 2016 which extended protections to whistleblowers under specific conditions. French media customers operating cross-border editorial work routinely require their email infrastructure to be hosted in jurisdictions that honour these protections without modification, which in practice means within the EU framework with the corporate counterparty under EU law. The OVH Canada ruling of September 2025 has made this requirement materially more visible: French media customers who previously accepted any French or EU-domiciled provider now scrutinise the corporate ownership chain in the way that financial-services customers have done since Schrems II.

What does not apply: US shield laws. US shield laws do not apply to our infrastructure because we operate no US presence. Customers occasionally ask whether their journalism programme can rely on US First Amendment protections for source correspondence routed through our system; the answer is that US legal protections do not attach to data held outside US territory by a non-US corporate entity. Customers whose source-protection model is built primarily on US legal protections need a US-based provider, which is not us. This is one of the categories where we recommend customers talk to a different vendor; the recommendation is genuine and the customer's source protection is better served by a vendor whose corporate structure aligns with the legal regime they are relying on.

Newsletter delivery at scale. The newsletter operation is the largest visible workload at most media customers. A medium-sized publisher runs between two million and twenty million sends per month across editorial newsletters, daily briefings, and reader-engagement campaigns. The sending volume profile is concentrated: most publishers send the bulk of their volume in a four-to-six-hour window each weekday morning, with secondary peaks for afternoon updates and weekend digest issues. Mailbox provider tolerance for this concentrated profile depends on engagement quality. High-engagement newsletter programmes (with click-through rates above 3 percent and complaint rates below 0.05 percent) tolerate the volume concentration without throttling. Lower-engagement programmes hit Yahoo and Gmail throttling thresholds within the morning send window, with the second half of the recipient list arriving hours later than the first. The fix is reputation work and segmentation, not infrastructure scale.

Source-protected internal mail. Editorial correspondence with sources is a separate workload from the newsletter operation. The volume is low (typically thousands of messages per month rather than millions) but the security profile is materially higher. Source correspondence routinely contains information whose disclosure would be a story of its own, and the infrastructure that carries it is part of the source-protection chain. We deploy this workload on dedicated infrastructure separate from the newsletter operation, typically in our Reykjavik or Stockholm PoPs, with end-to-end TLS enforcement, retention reduced to the minimum needed for delivery troubleshooting, and access controls tighter than the standard newsletter operation. The customer's editorial team controls the mailbox routing for this stream; the customer's commercial team does not have visibility into it.

DSAR processing for newsletters. DSARs (Data Subject Access Requests) are a substantial operational burden for media customers in a way that they are not for most other verticals. A newsletter programme with two million subscribers will typically receive between fifty and two hundred DSARs per year, with seasonal spikes around major editorial coverage of privacy-related stories (the Schrems II ruling produced a measurable spike across our German publisher customers; the OVH Canada ruling produced a smaller but distinct spike across our French publisher customers). The infrastructure-side response time matters because the legal team's calendar window is fixed at 30 days under GDPR Article 12(3). Our German Media case study describes the rebuild of one customer's DSAR response system from a 14-day infrastructure response to a 90-minute response. The legal review on top of that 90-minute infrastructure response still consumed most of the 30-day window, but the migration moved the bottleneck from infrastructure to legal review where the constraint properly belongs.

Advertiser and sponsor email authentication. Media customers routinely have advertiser and sponsor email programmes that send from subdomains or whitelabel domains of the publisher. These programmes need correct DKIM signing, DMARC alignment, and BIMI/VMC display in inbox UI. The configuration is fiddly because the advertiser owns the brand and the publisher owns the technical infrastructure. We have run BIMI rollouts for three customers in this profile across 2025, with VMC certification handled by the publisher and DKIM/DMARC alignment configured against the advertiser's domain delegation. The operational pattern is that the publisher's technical team maintains the per-advertiser configuration, and we provide the underlying DKIM signing and reputation management.

Editorial / commercial separation. The single most important architectural decision for media customers is the separation of editorial sending from commercial sending. The two workloads have different reputation profiles, different compliance obligations (editorial content is rarely commercial communication under GDPR Article 6(1)(a) consent rules; commercial newsletter content typically is), and different deliverability expectations. Mixing them on the same IP pool degrades both. We typically deploy a minimum of four IPs for any media customer: two for editorial, two for commercial, warmed on independent curves and assigned per-message at the application layer. Customers who request a single shared pool to reduce cost are routinely the ones who request a re-architecture six months later.

The jurisdictional footprint we offer to media customers is materially different from what we offer to financial services. Iceland and Sweden carry weight in this vertical that they do not carry elsewhere. About 24 percent of our media-vertical revenue lands in Reykjavik and Stockholm combined, well above their share of our overall offshore-dedicated business. The reason is the press-freedom legal framework documented in section 2, which is a procurement-grade differentiator for source-sensitive workloads in a way that it is not for newsletter delivery alone.

Iceland fit. Iceland is the right jurisdiction for media customers whose source-protection workload is the procurement-driving concern. The Modern Media Initiative legal framework, combined with Iceland's geographic distance from continental European intelligence-sharing arrangements, produces a substantive legal-protection profile that is genuinely difficult to replicate elsewhere. Editorial workloads at customers in this profile typically run in Reykjavik with backup replication to Stockholm. The newsletter operation can run in the same PoP if volume permits, or in a continental-EU PoP for latency reasons with backup to Reykjavik for the editorial subset of traffic.

Sweden fit. Sweden is the right jurisdiction for media customers whose primary concern is bulk metadata retention and the legal precedent around it. The Tele2 Sverige ruling carries operational weight in Sweden in a way that it does not carry in the country whose case produced it. The Swedish transposition of the post-Tele2 framework imposes some of the strictest member-state-level retention restrictions in the EU. Customers in this profile typically deploy newsletter operations in Stockholm with editorial workloads either in Stockholm or in Reykjavik depending on the source-protection profile. Legal precedent is most useful when the jurisdiction has demonstrated willingness to apply it; the Swedish courts have done so consistently since 2016.

Slovenia fit (cost-effective). Slovenia is the right jurisdiction for cost-sensitive media customers whose source-protection profile is not the procurement-driving concern. Most newsletter-only operations fit this profile. The CCR 1258/2009 retention precedent in Slovenia predates the Tele2 framework and provides comparable protection for the workloads it covers; the Slovenian courts have been consistent in applying it. Cost differential between Ljubljana and Reykjavik or Stockholm is meaningful at scale; for customers whose monthly volume sits above twenty million sends, the cost case for Ljubljana typically wins unless the source-protection profile specifically requires Iceland or Sweden.

When we recommend a different vendor. We do not always win the deal in this vertical either. About 4 percent of our media intake calls end with us recommending a different vendor; the rate is lower than in financial services because the procurement gates are typically less rigid. The most common reason for the recommendation is a customer whose source-protection model is built primarily on US legal protections, where a US-based provider is the right operational choice. The second-most-common reason is a customer whose volume profile is below our economically-viable minimum (we run dedicated infrastructure, which is not cost-competitive with shared-IP services below roughly 500,000 sends per month). We route those customers to providers whose offering matches their volume profile. The honest framing is the same as in financial services: the long-term cost of a deal we should not have won is higher than the short-term cost of a deal we did not chase.

Pattern 1: Editorial and commercial mixed on shared infrastructure. The first pattern is the publisher whose vendor proposed a single shared-IP newsletter service for the entire organisation, regardless of the editorial-versus-commercial distinction. The cost case is straightforward: shared infrastructure is cheaper. The operational case breaks down within six months. Editorial newsletters with high engagement quality build reputation that is then degraded by commercial newsletters with lower engagement. Commercial campaigns trigger throttling that delays editorial breaking-news alerts. Subscriber complaints on commercial content damage editorial deliverability, and the editorial team has no operational lever to address it because the infrastructure is shared. We have rebuilt this configuration for two media customers in 2025; both rebuilds involved separating the workloads onto independent IP pools and re-warming both from cold over a six-week period.

Pattern 2: Vendor cannot handle DSAR coordination. The second pattern is the vendor whose DSAR response architecture cannot produce the records the customer needs in the time the customer needs them. We described this pattern in the German Media case study: the customer's previous configuration retained 18 months of full delivery logs but the operational tooling to retrieve a complete DSAR response took 14 days because the data was scattered across three storage tiers and the bounce-handler used a reversible hash that had to be manually decoded. The infrastructure-side fix took three months. The legal-side coordination took ongoing work, because DSARs in publishers routinely arrive coordinated with editorial coverage of privacy-related stories and the legal team needs the technical data fast enough to draft a response within the GDPR 30-day window. A vendor whose DSAR tooling produces results in days rather than minutes is incompatible with the operational reality of a major publisher.

Pattern 3: Source location betrayed by infrastructure metadata. The third pattern is the most subtle. Email infrastructure routinely emits metadata that can be used to infer information about the sending operation: IP block geolocation, ASN ownership, BGP path advertisements, MX-host return paths. For newsletter delivery this metadata is harmless. For source-protected editorial correspondence it can be a problem. A source's awareness that their correspondent's email infrastructure is hosted in a specific country, with a specific provider, accessible through specific MLAT processes, is itself information that some sources need to factor into their decision to communicate. The standard fix is operational: the provider's IP allocations are not branded in WHOIS in a way that betrays the customer organisation, the sending domain does not return a SPF include that publicly identifies the provider, the MTA-STS policy host and the BIMI logo do not point to provider-branded URLs. None of this is exotic, but it does require the vendor to think about the workload from a source-protection perspective rather than a marketing-attribution perspective. Most generalist vendors do not.

What we run for media customers, in concrete terms. Dedicated PowerMTA or KumoMTA clusters in Iceland or Sweden or Slovenia, depending on the source-protection profile and the cost sensitivity. Separated IP pools for editorial and commercial workloads, with independent warmup curves and per-message routing at the application layer. Source-protected editorial correspondence on a separate cluster from the newsletter operation, with end-to-end TLS enforcement, retention reduced to delivery-troubleshooting minimum, and access controls audited by the customer's editorial team rather than the commercial team. DSAR response tooling that produces records in 90 minutes for the technical layer, with the legal-review window remaining the bottleneck where it should be. WHOIS branding, ASN naming and SPF includes are configured in a way that does not gratuitously expose the publisher's identity through infrastructure metadata.

What we do not run. We do not run shield-law-style legal protection that requires US presence; customers whose legal model depends on US shield laws need a US-based provider. We do not provide editorial review of customer content; we provide infrastructure that delivers it. We do not perform privacy advisory work on the customer's behalf; the customer's general counsel is the right interface for the legal questions, with our DPO providing the technical input the counsel needs. We have supported counsel-led DSAR responses, regulatory inquiries, and source-protection legal reviews across roughly thirty media-vertical engagements since 2020, and the pattern of that support is consistent: our infrastructure makes the technical data available fast and accurately, and the customer's legal team makes the editorial and privacy judgements that only they can make.