The "email pinging" system from the EIE plan, as-built in requirements: send cold email across a pool of warmed inboxes spread over separate .com domains, to the addresses the inference engine gathered — with every send cleared through a fail-closed compliance gate first. Script-heavy, ~0 LLM in the send path.
Cold outbound and your real, transactional mail must live on structurally separate infrastructure. This is the single load-bearing decision — get it wrong and one spam complaint on a cold campaign can burn the reputation of the domain your product's real email depends on.
Product mail: receipts, auth, notifications. High trust, must never be put at reputational risk.
Disposable-by-design sending domains. If one gets torched, it never touches the product's mail.
CI-enforced
Not just a rule in a doc — a build-breaking grep-guard (extending the existing
email-sender-guard.yml pattern) fails CI if any cold-campaign config references the
transactional Resend credentials or the aaas.select domain. Zero shared code paths.
Three sub-deliveries in series. Only deliverable-bucket addresses that also clear the live gate are ever handed to a mailbox.
the email-inference engine
fail-closed, per recipient
warmed inbox pool
.comWhat it takes to stand up and safely run the fleet of sending domains — the deliverability core of the pinging system.
send_log (defense in depth)-all, scoped to the sequencer's infra onlyp=none → p=quarantine after 2–4 clean weekstrack.<colddomain>.com — never the transactional oneList-Unsubscribe, DKIM-signed, honored ≤48hactivation_queue, returns 200 <200mssend_log row without a compliance_gate_id — that's a bug, not an edge caseSending domains can't ping cold on day one. Reputation is built slowly; this 4–6 week curve is why procurement must start first, before any code is gated.
Recommended default: Mailreef grows the domain/mailbox fleet programmatically; Smartlead Pro runs sequencing, warmup and native reply-webhooks once they exist. A clean separation of concerns no all-in-one product matches.
| Tool | Role | Cost / mo (2026) | Why |
|---|---|---|---|
| Smartlead Pro | Sequencer · warmup · unified inbox | $94 | Most API-complete option surveyed; reply/bounce/unsub webhooks unlock at the cheapest tier that has them at all. |
| Mailreef | Domain + mailbox provisioning API · dedicated IP | $240 + $0.001/send | Fastest programmatic domain-fleet growth; purpose-built to feed a sequencer like Smartlead. |
| EmailBison | White-label, dedicated server + IP | $599 flat | Held in reserve — wins on unit economics only past ~150–300K sends/mo. |
| Amazon SES / Workspace | Fully self-built stack | ~$0.10/1k | Avoid initially — SES's acceptable-use policy actively restricts cold outbound; suspension is a business-continuity hazard, not a technical inconvenience. |
The infrastructure is buildable today. The moment a real cold email leaves a mailbox is deliberately locked behind two independent conditions.
Stand up Mailreef, register the first .com, configure SPF/DKIM/DMARC + tracking subdomain,
connect mailboxes, start warmup. Start first — the 4–6wk warmup is the critical path and blocks nothing else.
The fail-closed gate, suppression store, country_gate, auto-pause, RFC-8058 unsub — plus the whole gather/verify pipeline — carry no send risk and are fully buildable today.
Buildable as code and dry-run-testable against a sink mailbox, but can't be verified end-to-end until SD-8 exposes a callable gate. Hard-blocked on SD-8 for anything beyond code-complete.
Flipping the scheduler to live requires (1) SD-8 fully built & verified in front of every send, and (2) an explicit operator + legal sign-off recorded — never inferred from an unblocked pipeline.