An Indian fintech founder reached out last year after his users stopped receiving OTPs. His sign-up flow had broken, support tickets were piling up, and he had no idea why. The culprit was simple: his OTP emails and his weekly newsletter were both being sent through the same Mailchimp account, from the same domain, using the same shared sending IPs. When his newsletter campaign generated a surge of spam complaints — entirely normal for a list that had grown quickly through a referral campaign — it dragged the entire domain's sender reputation down. Gmail started throttling and blocking everything from that domain, including the OTPs that users needed to log in. This guide on transactional vs marketing emails for Indian businesses covers exactly how to prevent that scenario, which providers work best for which use case, and what the DPDP Act 2023 requires before you send a single marketing email.
What Qualifies as Transactional Email
The distinction between transactional and marketing email is both legal and technical, and getting it wrong in either direction causes problems. A transactional email is one that is triggered by a specific action the user took — and that the user would reasonably expect to receive as a result of that action.
Clear transactional examples: OTPs and authentication codes, order confirmations, shipping notifications, password reset links, invoice receipts, appointment confirmations, account creation confirmations, and subscription renewal notices. These emails do not require opt-in consent under most frameworks because they are a functional part of the service the user signed up for.
Clear marketing examples: newsletters, product announcements, promotional offers, re-engagement campaigns, drip sequences designed to sell, and "we miss you" emails. These require explicit opt-in under India's DPDP Act 2023 and under GDPR if any of your users are in Europe.
The grey area is large. A shipping notification that also includes a cross-sell recommendation is partially marketing. A "your subscription is expiring" email that includes a discount code is partially marketing. The safe rule: if the email would not be sent without a commercial intent, treat it as marketing and apply all marketing email rules. If it exists purely because the user performed an action, it is transactional.
Why Shared Infrastructure Fails Indian Startups
Most Indian startups begin their email journey the same way: they sign up for a service like Mailchimp, Brevo (formerly Sendinblue), or Zoho Campaigns, verify their domain, and start sending everything — OTPs, order confirmations, newsletters, promotional blasts — through that single account. This works fine at low volume. The trouble starts when the list grows.
Shared sending IPs mean your sender reputation is partially a function of what other senders on those IPs are doing. More importantly, your own marketing campaigns directly damage your transactional email reputation. Gmail updated its spam enforcement policies in February 2024 to trigger automatic throttling when a sender's spam rate exceeds 0.10% (not 0.30% as previously communicated). A newsletter to 10,000 people with just 11 spam complaints triggers that threshold. If your newsletter and OTP sends use the same IP and domain, those 11 complaints affect your OTP deliverability.
Airtel's spam filters, which process a significant fraction of Indian email traffic, are even more aggressive. Indian ISPs including Jio and BSNL have historically maintained less transparent filtering policies than Google's Postmaster Tools, making it harder to diagnose deliverability drops when they occur. This opacity is an additional reason to use dedicated infrastructure — isolated problems are easier to diagnose.
Provider Comparison: SendGrid vs Amazon SES vs Postmark vs SMTP2GO
Choosing the right provider depends on your send volume, technical capacity, and budget. Here is how the four main options compare for Indian startups in 2026:
SendGrid (Twilio) is the most widely known transactional email provider globally. Its free tier allows 100 emails per day, and paid plans start at roughly ₹1,650/month (around $20) for 50,000 emails. SendGrid handles both transactional and marketing email well, but using it for both from the same account defeats the purpose of separating infrastructure. Dedicated IP addresses are available but cost extra and require a warming period. SendGrid's documentation and support are excellent, making it a solid choice for teams with limited in-house email expertise.
Amazon SES is the cost leader at $0.10 per 1,000 emails (approximately ₹8.30 per 1,000) — dramatically cheaper than every alternative at scale. Indian companies already on AWS find the billing integration convenient. The downside is that setup requires meaningful technical effort: SES starts in sandbox mode, exiting the sandbox requires a manual AWS review that can take one to two business days, dedicated IPs cost $24.95/month per IP, and debugging is harder than with Postmark or SendGrid. For a team with a DevOps engineer, SES is the obvious choice at volume above 50,000 emails per month. For a two-person startup, the setup overhead may not be worth it.
Postmark is built specifically for transactional email and is widely regarded as the deliverability leader among the four options. It does not allow marketing email at all — which is a feature, not a limitation, because it means Postmark's IP reputation is protected entirely by transactional senders. Pricing starts at $15/month for 10,000 emails (approximately ₹1,240), which is more expensive than SES but cheaper than SendGrid for equivalent transactional volume. Postmark's Activity Feed and detailed bounce categorisation make deliverability debugging faster than any competitor.
SMTP2GO is less commonly discussed in India but deserves attention because it has infrastructure in Mumbai and Singapore, which reduces latency for Indian email sends. Free tier covers 1,000 emails/month. Paid plans are competitively priced and the deliverability monitoring tools are better than SES without the complexity. For Indian startups that are not yet on AWS and are sending fewer than 100,000 emails per month, SMTP2GO is a practical alternative worth evaluating.
SPF, DKIM, and DMARC for Indian Domain Registrars
Every email deliverability conversation eventually comes back to three DNS records: SPF, DKIM, and DMARC. These records tell recipient mail servers that your emails are actually sent by you, not by a spammer spoofing your domain. Without them, even legitimate email from a clean IP will fail authentication checks and land in spam or be rejected outright.
SPF (Sender Policy Framework) is a TXT record in your DNS that lists the servers authorised to send email from your domain. A typical SPF record for a domain using Amazon SES and Google Workspace looks like: v=spf1 include:amazonses.com include:_spf.google.com ~all. The ~all is a soft fail — meaning unauthorised senders are flagged but not rejected. Use -all (hard fail) once you are confident you have listed all legitimate senders.
For GoDaddy India and BigRock — the two most common domain registrars among Indian SMBs — adding DNS records requires navigating to the DNS Management section under your domain settings. GoDaddy India's interface changed in late 2024 and TXT records are now added under "DNS" rather than "Zone File Editor." BigRock's control panel uses cPanel, where DNS records are managed under "Zone Editor." Both support all necessary record types, but propagation can take up to 48 hours and should be tested with MXToolbox after adding.
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your emails that verifies they were not altered in transit. Every major sending provider generates DKIM keys for you and asks you to add a CNAME or TXT record to your DNS. The key length matters: use 2048-bit DKIM keys, not 1024-bit, which is now considered insufficiently secure by Gmail and is likely to affect deliverability.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) tells recipient servers what to do when an email fails SPF or DKIM checks. A starting DMARC policy of p=none with a reporting email specified lets you collect data on authentication failures without rejecting any email. After reviewing the reports for two to four weeks, move to p=quarantine, and eventually to p=reject once you are confident all legitimate senders are properly authenticated. Google's requirement that bulk senders have DMARC in place (announced in 2023 and enforced through 2024) means this is no longer optional for Indian businesses sending more than 5,000 emails per day to Gmail addresses.
OTP Deliverability Issues Specific to Indian Startups
OTP emails have a unique deliverability challenge that goes beyond domain reputation. They are inherently time-sensitive — a 10-minute OTP expiry means a 5-minute delivery delay renders the entire authentication flow broken. Several specific patterns cause OTP delivery failures for Indian startups:
Gmail's promotions tab misclassification: Gmail's algorithm sometimes misclassifies OTP emails as promotional if the email template includes too much branding, images, or HTML formatting. OTP emails should be plain-text or near-plain-text with minimal HTML. No images, no promotional language, no unsubscribe links (which are a legal requirement for marketing emails but actually hurt transactional deliverability if included unnecessarily).
Volume spikes during product launches: When an Indian app launches and gets featured on Product Hunt or a tech newsletter, sign-up volume spikes dramatically. If your OTP sending infrastructure is not warmed up for that volume, sudden spikes trigger spam filters. Pre-warm dedicated IPs by gradually increasing send volume over two to three weeks before a planned launch.
Airtel blocking patterns: Airtel's mail filters (affecting airtel.in email addresses) are notably aggressive toward new senders and domains registered within the last 12 months. If your domain is new and you need to send to Airtel email addresses, establishing a sending history first using non-critical emails (such as newsletter sign-up confirmations) before relying on that path for OTPs is a reasonable precaution.
WhatsApp OTP as a Backup Channel
Given the deliverability complexity of email OTPs in India, many Indian startups now treat WhatsApp OTP as a primary or fallback channel. WhatsApp Business API allows sending OTPs through approved template messages, which bypass the email spam filtering problem entirely. Delivery rates for WhatsApp OTPs in India are consistently above 98% because WhatsApp messages use mobile data or WiFi rather than depending on email infrastructure.
The business case for WhatsApp OTPs is strong for apps where users' primary contact is a mobile number rather than an email address — which is the majority of Indian consumer apps. The setup requires a WhatsApp Business API account (through Meta directly or through a BSP like Gupshup, Kaleyra, or Interakt, all of which have India-specific pricing). Template messages for OTPs are approved by Meta within one to two business days and delivery is near-instant.
The limitation is cost: WhatsApp authentication messages are priced per conversation, currently at approximately ₹0.40–0.55 per authentication conversation in India. For an app with high sign-up volume and significant re-authentication events (password resets, device changes), this adds up. A hybrid approach — WhatsApp OTP for mobile-first users, email OTP for users who registered with a verified corporate email — optimises both reliability and cost.
DPDP Act 2023 Compliance for Marketing Emails
The Digital Personal Data Protection Act 2023 is India's first comprehensive data protection law and it changes the compliance requirements for email marketing in ways that many Indian businesses have not yet addressed. The Act was passed in August 2023, with rules and enforcement mechanisms being progressively implemented through 2025 and 2026.
For marketing email specifically, the Act requires three things that most Indian email marketers are currently not doing correctly:
Explicit, granular consent: The user must specifically consent to receive marketing email — a generic "I agree to the terms and conditions" checkbox that buries email marketing consent inside a terms document does not qualify. The consent must be for a specific purpose, clearly stated, and separate from other consents.
Consent records: You must maintain a record of when consent was given, through which interface, and what the user was shown at the point of consent. If you use a third-party email platform, it should provide consent timestamp logging. Mailchimp, Brevo, and ActiveCampaign all support this. Check that your specific account configuration is capturing it.
Easy withdrawal: Every marketing email must include a mechanism for the user to withdraw consent — the standard unsubscribe link qualifies, but it must actually work and process within a reasonable timeframe. Continuing to send after an unsubscribe request, even due to a technical delay, is a compliance gap. Process unsubscribes within 24 hours.
DPDP enforcement is handled by the Data Protection Board of India, which was formally constituted in 2025. Penalties for violations can reach ₹250 crore for significant breaches. Even before enforcement actions begin, the deliverability benefit of sending only to engaged, consented users is itself sufficient reason to implement proper consent management.
The Recommended Two-Infrastructure Setup
Based on the above, here is the infrastructure setup that balances deliverability, cost, and compliance for a typical Indian startup sending a mix of transactional and marketing email:
Transactional email: Use Postmark or Amazon SES (with a dedicated IP if sending more than 50,000 transactional emails per month). Send from a subdomain — mail.yourdomain.com or noreply.yourdomain.com. Configure SPF, DKIM (2048-bit), and DMARC separately for this subdomain. Use plain-text templates for OTPs. Never send marketing email through this account.
Marketing email: Use SendGrid, Brevo, or Mailchimp with a separate subdomain — news.yourdomain.com or marketing.yourdomain.com. Configure separate SPF, DKIM, and DMARC for this subdomain. Maintain proper consent records. Process unsubscribes within 24 hours. Monitor your spam complaint rate weekly using Google Postmaster Tools (free) and act immediately when it exceeds 0.08%.
This two-subdomain approach means that a marketing campaign that generates spam complaints cannot damage your OTP delivery infrastructure, and vice versa. The total additional cost for most startups is minimal — the Postmark plan for low-volume transactional sends costs $15/month and the separation of infrastructure is worth multiples of that in avoided customer support costs from broken authentication flows.
Frequently Asked Questions
Why are my OTP emails going to spam for Gmail users in India?
OTP emails land in spam most often because they share sending infrastructure with your marketing campaigns. Gmail's spam filters evaluate the sender reputation of the entire IP and domain. If your newsletter campaigns generate even a 0.3% spam complaint rate — which is below industry average but above Gmail's tolerance threshold since February 2024 — that reputation damage bleeds into your transactional sends. The fix is to separate your OTP sends onto a dedicated subdomain (like mail.yourdomain.com) using a transactional-first provider such as Postmark or Amazon SES with a dedicated IP, completely isolated from your marketing email infrastructure.
What does DPDP Act 2023 require for marketing emails sent to Indian users?
The Digital Personal Data Protection Act 2023 requires that you collect explicit, informed consent before sending marketing emails to Indian users. Pre-ticked consent boxes, implied consent from account creation, or consent buried in terms and conditions does not satisfy the Act. You must maintain a record of when and how consent was obtained. Users must be able to withdraw consent easily — a one-click unsubscribe mechanism is required. If you send to business email addresses, you still need to identify a lawful basis for processing. DPDP enforcement is still maturing in 2026, but the consent requirements are already clear and ignoring them creates both legal and deliverability risk.
Is Amazon SES reliable enough for transactional email in India?
Amazon SES is highly reliable and is used by major Indian startups for transactional email. Its primary advantage is cost — at $0.10 per 1,000 emails, it is the cheapest option at scale. The drawback is setup complexity: getting out of the SES sandbox requires a manual review, configuring dedicated IPs costs an additional $24.95 per month per IP, and debugging deliverability issues requires more technical knowledge than with Postmark or SendGrid. For Indian startups handling more than 50,000 transactional emails per month, SES with a dedicated IP is the most cost-effective choice. Below that volume, Postmark's easier setup and superior deliverability monitoring tools justify the higher per-email cost.