Authentication email is the most latency-sensitive mail you send. Users stare at the screen waiting; every extra second feels like a broken product.
Design for mobile first
Put the code or button above the fold. Use large type for numeric OTPs. Avoid image-only templates — many clients block images by default.
Subject lines that help, not hype
“Your login code for Acme” beats “Important security update!!!”. Users and filters both reward clarity.
Expiry and single use
State expiry time in the body (e.g. 10 minutes). Invalidate codes server-side after use. Rate-limit resend to prevent abuse.
Retries and idempotency
Network failures between your app and the API should not double-charge or double-send. Use idempotency keys where your provider supports them, and log message ids.
Fallback channels
SMS or authenticator apps are backups when email is delayed. Never rely on a single channel for account recovery without risk review.
Monitoring
Track time-to-inbox (send → delivered) separately from marketing campaigns. Alert when OTP delivery rate drops or deferrals spike — often the first sign of DNS or reputation trouble.
Send auth mail from a dedicated subdomain with full authentication. Mailmatic logs each OTP send so you can debug user reports with message-level detail.