Every time your SaaS sends a password reset, order confirmation, or invoice, that email carries personal data: names, email addresses, sometimes purchase details or account information. If you're using a US-based email provider, that data crosses the Atlantic, and with it, your GDPR compliance gets complicated.
For European developers building for European users, there's a simpler path: send email from infrastructure that never leaves the EU.
The Problem with Transatlantic Email Data#
The GDPR doesn't ban sending data outside the EU, but it requires adequate safeguards when you do. After the Schrems II ruling invalidated the EU-US Privacy Shield, companies relying on US-based email providers have been in a legal gray area.
The current EU-US Data Privacy Framework attempts to fill that gap, but its future is uncertain. Legal challenges are already underway, and European Data Protection Authorities continue to scrutinize transatlantic data flows.
Here's what this means in practice for email:
- Standard Contractual Clauses (SCCs) are required for transfers to the US, adding legal overhead and ongoing compliance work
- Transfer Impact Assessments (TIAs) must evaluate whether the recipient country provides adequate protection
- Your Data Processing Agreement (DPA) must explicitly address international transfers and sub-processors
- Data subject requests (access, deletion, portability) become harder when data lives in another jurisdiction
For most SaaS teams, email infrastructure is a background concern. Until an audit or a customer due diligence questionnaire surfaces these gaps.
What EU Data Residency Actually Means#
EU data residency for email means that every component of the email pipeline processes and stores data within the European Union:
| Component | What it handles | Why residency matters |
|---|---|---|
| API server | Receives your send request with recipient data | First point of data ingestion |
| Queue / worker | Processes email jobs, renders templates | Personal data in transit |
| SMTP engine | Delivers to recipient MX servers | Outbound connection metadata |
| Bounce processor | Handles delivery failures and complaints | Contains recipient addresses |
| Logs & analytics | Tracks delivery events | Retention-relevant personal data |
| Database | Stores email records, templates, settings | Long-term personal data storage |
If any of these components (even a logging sidecar or an analytics pipeline) runs outside the EU, the entire chain breaks. True data residency requires control over every layer.
Why authentication decides whether your mail lands#
GDPR compliance is table stakes. What actually determines whether your email reaches the inbox is email authentication, and getting it right is non-negotiable in 2026.
SPF (Sender Policy Framework)#
SPF tells receiving mail servers which IP addresses are authorized to send email for your domain. Without it, your emails are more likely to land in spam.
v=spf1 include:spf.euromail.dev -all
The -all directive means "reject anything not in this list". A strict policy that builds sender reputation.
DKIM (DomainKeys Identified Mail)#
DKIM adds a cryptographic signature to every outgoing email. The receiving server verifies this signature against a public key published in your DNS. This proves the email wasn't tampered with in transit.
euromail._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIIBIjAN..."
Your email provider should sign every email automatically, no manual key management on your side.
DMARC (Domain-based Message Authentication)#
DMARC ties SPF and DKIM together and tells receivers what to do when authentication fails. It also enables aggregate reporting so you can monitor your email authentication health.
_dmarc.yourdomain.com TXT "v=DMARC1; p=reject; rua=mailto:[email protected]"
A p=reject policy is the gold standard: it tells receiving servers to drop any email that fails authentication.
Why This Matters for Deliverability#
Google and Yahoo now require SPF, DKIM, and DMARC for bulk senders. Even for transactional email, proper authentication directly impacts inbox placement. An EU-based provider with a clean IP reputation and proper authentication gives you the best foundation.
Once you're sending, don't fly blind: Google Postmaster Tools shows you exactly how Gmail rates your domain's reputation and authentication.
Sending Email with the euromail API#
Here's what sending a transactional email looks like with an EU-based provider that handles authentication automatically:
curl -X POST https://api.euromail.dev/v1/emails \
-H "X-EuroMail-Api-Key: em_live_..." \
-H "Content-Type: application/json" \
-d '{
"from": "[email protected]",
"to": "[email protected]",
"subject": "Your invoice #1042",
"html_body": "<h1>Invoice Ready</h1><p>Your invoice for March 2026 is attached.</p>",
"tags": ["invoice", "billing"]
}'
What happens behind the scenes:
- The API server in Finland receives your request
- DKIM signature is applied using your domain's private key
- The SMTP engine delivers directly to the recipient's mail server, no third-party relay
- Delivery status, bounces, and complaints are tracked and available via webhooks
- All data stays within Finland throughout the entire process
For TypeScript projects:
import { EuroMail } from "@euromail/sdk";
const euromail = new EuroMail({ apiKey: "em_live_..." });
await euromail.sendEmail({
from: "[email protected]",
to: "[email protected]",
subject: "Your invoice #1042",
html_body: "<h1>Invoice Ready</h1><p>Your invoice is attached.</p>",
tags: ["invoice", "billing"],
});
For a complete walkthrough (account, API key, domain verification, and your first delivered email), follow Send Your First Email in 5 Minutes.
Choosing an Email Provider: What to Evaluate#
When selecting a transactional email provider for a GDPR-conscious SaaS, consider these criteria:
Data residency
- Where are API servers, databases, and SMTP infrastructure located?
- Are sub-processors also within the EU?
- Is a Data Processing Agreement (DPA) included?
Email authentication
- Does the provider handle DKIM signing automatically?
- Are SPF records provided and documented?
- Is DMARC guidance part of the onboarding flow?
Delivery infrastructure
- Does the provider use its own SMTP engine or relay through a third party?
- What IP warm-up options are available?
- How are bounces and complaints handled?
GDPR tooling
- Can you export all data for a specific email address (data subject access requests)?
- Is there a right-to-erasure endpoint?
- Are audit logs available for compliance reviews?
- Can you configure data retention periods?
Transparency
- Where does the provider publish its infrastructure details?
- Is the DPA publicly available before sign-up?
- What sub-processors are listed?
If you're weighing specific providers against these criteria, we maintain detailed comparisons of euromail with Postmark, Resend, Mailgun, SendGrid, and Amazon SES, and our DPA is public before you sign up.
What EU residency is worth beyond the fines#
The fines are real: up to 4% of annual global revenue. But the day-to-day payoff of keeping email data in the EU tends to show up in sales, not audits. European B2B buyers now run vendor data-residency checks before they sign, and if your email stack already lives in the EU you clear those checks without a Schrems II analysis or a pile of Standard Contractual Clauses. The deal moves faster because there is nothing to explain away.