Alibaba Cloud Direct Mail Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Enterprise Services & Cloud Communication

1. Introduction

Alibaba Cloud Direct Mail is a cloud email delivery service designed for sending application-generated emails (transactional) and, where allowed and compliant, bulk/marketing emails. It provides managed sending infrastructure so teams do not need to run their own mail servers, warm up IPs manually, or build deliverability tooling from scratch.

In simple terms: Direct Mail helps you send emails reliably from your apps—password resets, sign-up verification, invoices, alerts, and notifications—while giving you controls like sender/domain verification, templates, and delivery tracking (capabilities vary by account and region; verify in official docs).

Technically, Direct Mail typically works as an outbound email platform with SMTP and/or API-based sending, with console-driven configuration for sender addresses/domains, DNS-based authentication (SPF/DKIM), and reporting for delivery events (e.g., delivered, bounced). Your application authenticates to the service using credentials (SMTP credentials or Alibaba Cloud API credentials via RAM) and submits email payloads to Direct Mail, which then handles queuing, routing, and delivery to recipients’ mail servers.

Direct Mail solves the common problems of self-hosted mail: IP reputation management, deliverability tuning, operational burden, and compliance controls (while still requiring you to follow anti-spam rules and user consent requirements).

2. What is Direct Mail?

Official purpose (service scope):
Alibaba Cloud Direct Mail is an email sending service in the Enterprise Services & Cloud Communication category. Its primary purpose is to help customers send outbound emails from applications or business systems at scale, with managed deliverability mechanisms and operational visibility.

Core capabilities (typical, verify against your region/account): – Send email via SMTP and/or API. – Configure and verify sender domains and sender addresses. – Support email templates (often required for high-volume or controlled sending). – Provide delivery tracking and statistics (e.g., sent, delivered, bounced) via console and/or APIs. – Enforce sending policies (rate limits/quotas), and help manage deliverability via authentication (SPF/DKIM; DMARC is typically customer-managed at DNS level).

Major components (conceptual model): – Direct Mail console: configuration, sender/domain management, templates, and reporting. – Domain/Sender verification: DNS records you add to prove domain ownership and authorize sending. – Sending interface: SMTP endpoint and/or API endpoint. – Credentials: – RAM (Resource Access Management) identities and AccessKeys for API access. – SMTP credentials (often distinct or derived; verify in console/docs). – Reports/logs: delivery/bounce statistics and sending history (exact retention and export features vary; verify in official docs).

Service type:
Managed cloud communication service (email delivery / outbound email gateway).

Scope (regional/global/account-scoped): – Direct Mail is generally account-scoped (tied to your Alibaba Cloud account) and may be region-scoped for sending endpoints and resource configuration. Some settings (like verified domains) may be usable across regions, while sending endpoints are usually region-specific. Verify region behavior in official docs because Alibaba Cloud services vary.

How it fits into the Alibaba Cloud ecosystem: – RAM for identity and access control. – ActionTrail for auditing API actions (where supported). – CloudMonitor for metrics/alarms (where supported or via custom metrics). – VPC/ECS/Container Service workloads for applications that generate emails. – DNS (Alibaba Cloud DNS or any DNS provider) to publish SPF/DKIM records. – KMS/Secrets Manager for protecting SMTP/API credentials (recommended).

3. Why use Direct Mail?

Business reasons

Faster time to market: avoid building/operating a mail server fleet.
Brand trust and deliverability: domain authentication and managed sending help your emails reach inboxes.
Operational continuity: reduce risk of mail server misconfiguration, blacklisting, and maintenance overhead.

Technical reasons

Standard integration options: SMTP is widely supported; API-based sending is easier to integrate with microservices and serverless patterns.
Separation of concerns: your application produces messages; Direct Mail handles delivery mechanics and retries (implementation details vary; verify).
Template-based sending: reduces formatting errors and enforces consistent content.

Operational reasons

Visibility into sending outcomes (bounces, failures), enabling on-call teams to detect incidents (e.g., DNS misconfig, credential failure, sudden bounce spikes).
Scalability: send spikes during events (launches, campaigns) without scaling mail servers.

Security/compliance reasons

Domain verification reduces spoofing risk and supports email authentication best practices.
Access control via RAM policies supports least-privilege operations.
Helps support compliance initiatives (you still must implement consent, opt-out, and content policies).

Scalability/performance reasons

Designed to handle high throughput and queued sending patterns (subject to quotas and sending limits).
Avoids direct exposure of your app’s IP reputation—Direct Mail infrastructure usually carries the sending IP reputation (details vary by plan; verify).

When teams should choose it

You need reliable outbound email for an application (transactional emails).
You need a managed platform with console reporting and DNS-based authentication.
You want to avoid running Postfix/Exim and managing IP reputation.

When teams should not choose it

You need a full marketing automation suite (journeys, audience segmentation, list management, built-in unsubscribe pages). Direct Mail focuses on sending; advanced marketing tooling may require third-party platforms.
You need inbound email processing (receiving emails, mailbox hosting). Direct Mail is not a mailbox product; consider Alibaba Cloud Enterprise Mail (different service) if you need hosted mailboxes.
You cannot meet compliance requirements (consent/opt-out) for bulk sending.

4. Where is Direct Mail used?

Industries

SaaS and software platforms (verification, onboarding, billing).
E-commerce (order confirmations, shipping updates, refunds).
Finance/fintech (statements, security alerts—subject to regulatory constraints).
Education (account notifications, course updates).
Healthcare (notifications—ensure privacy rules and content policies).
Media and gaming (account security, event announcements).

Team types

Application development teams (backend, full-stack).
Platform/DevOps teams providing shared messaging services.
SRE/operations teams owning reliability and incident response.
Security teams reviewing outbound communications and credential handling.

Workloads and architectures

Microservices that publish events to email notifications.
Monolithic apps with SMTP libraries.
Event-driven architectures using message queues (e.g., your app queues email jobs; a worker sends via Direct Mail).
Multi-tenant SaaS platforms with per-tenant sender identities (where supported).

Real-world deployment contexts

Production: high deliverability, strict authentication, monitoring and bounce management.
Dev/Test: restricted recipient lists, sandbox-like practices, non-production domains, or internal mailboxes to avoid accidental customer email.

5. Top Use Cases and Scenarios

Below are realistic scenarios where Alibaba Cloud Direct Mail is typically a good fit.

1) User sign-up email verification

Problem: You must confirm an email address before activating an account.
Why Direct Mail fits: Reliable transactional delivery + templated content.
Scenario: Your app sends a one-time verification link immediately after registration.

2) Password reset and account recovery

Problem: Password resets are time-sensitive and must be delivered quickly.
Why Direct Mail fits: Low-latency sending, controlled sender identity, delivery tracking.
Scenario: On password reset request, a backend service sends a time-limited token via email.

3) Billing receipts and invoices

Problem: Customers expect consistent, well-formatted billing emails.
Why Direct Mail fits: Templates and reliable sending; supports branded “From” domain with SPF/DKIM.
Scenario: After payment capture, the billing service emails a receipt and PDF link.

4) System alerts and incident notifications

Problem: NOC/on-call must receive alerts when chat tools or SMS fail.
Why Direct Mail fits: Provides an additional channel for notifications (with monitoring).
Scenario: A monitoring pipeline sends critical alerts to a distribution list.

5) Subscription lifecycle emails

Problem: You need to notify users about renewals, expirations, or trial ending.
Why Direct Mail fits: Scheduled sending via your app + templates.
Scenario: A daily job finds trials expiring in 3 days and sends reminders.

6) Product announcements (consent-based)

Problem: You want to send update announcements to opted-in customers.
Why Direct Mail fits: Bulk sending capabilities (subject to quotas/policies), templates.
Scenario: Marketing exports an opt-in list; a service sends an announcement email with an unsubscribe link your system hosts.

7) Multi-tenant SaaS “send as” (controlled)

Problem: Tenants want emails branded with their domains.
Why Direct Mail fits: Multiple verified sender domains/senders (if supported by your plan).
Scenario: Each tenant verifies their domain; the platform chooses sender based on tenant ID.

8) Event tickets and confirmations

Problem: Sending tickets/QR links quickly and reliably.
Why Direct Mail fits: Transactional reliability and consistent templates.
Scenario: After checkout, the ticketing system sends a confirmation with event details.

9) Security notifications

Problem: Notify users of new device login, MFA changes, or suspicious activity.
Why Direct Mail fits: Authenticated domain improves trust; helps reduce spoofed “security alert” lookalikes.
Scenario: Login anomaly triggers an email warning with guidance and support links.

10) Internal HR and operations notifications

Problem: Automated internal emails for onboarding tasks and policy acknowledgments.
Why Direct Mail fits: Simple integration and centralized sending governance.
Scenario: HRIS triggers emails to new hires with onboarding schedules.

11) Data pipeline completion notifications

Problem: Analysts need a message when ETL jobs finish or fail.
Why Direct Mail fits: Works from any job runner that can call an API/SMTP.
Scenario: A nightly batch job sends a summary email with links to reports.

12) Customer support case updates

Problem: Users expect updates when ticket status changes.
Why Direct Mail fits: Template-based, event-driven sending.
Scenario: Ticketing system sends “case updated” notifications with a secure link.

6. Core Features

Feature availability can vary by account type/region and product updates. Always confirm in the official Direct Mail documentation.

1) SMTP sending

What it does: Allows applications and tools to send email using the SMTP protocol.
Why it matters: Works with most languages, frameworks, and MTA-compatible tools.
Practical benefit: Quick integration (e.g., Python smtplib, JavaMail, Nodemailer).
Caveats: Outbound SMTP ports may be restricted in some environments; also cloud providers (including Alibaba Cloud ECS) often restrict port 25 egress. Prefer TLS ports or the API if available. Verify supported ports/endpoints in Direct Mail console/docs.

2) API-based sending (HTTP/HTTPS)

What it does: Send emails by calling Direct Mail APIs with signed requests using AccessKey credentials.
Why it matters: Easier to secure and observe in modern apps; avoids SMTP port issues.
Practical benefit: Better suited for microservices and serverless integrations.
Caveats: API action names, versions, and endpoints can change; use official SDKs and API reference for your region.

3) Sender domain and sender address management

What it does: Lets you configure “From” identities (domains and/or specific addresses).
Why it matters: Prevents spoofing, improves deliverability, and meets provider policy requirements.
Practical benefit: Central control over what your organization can send as.
Caveats: Requires DNS changes and verification steps; DNS propagation can take time.

4) Email authentication (SPF and DKIM)

What it does: Provides DNS record values you publish to authorize Direct Mail to send for your domain (SPF), and cryptographically sign messages (DKIM).
Why it matters: Major mailbox providers use authentication to filter spam and phishing.
Practical benefit: Higher inbox placement and reduced spoofing.
Caveats: Misconfigured SPF (too many lookups, missing includes) or DKIM records break authentication. DMARC alignment is your responsibility.

5) Templates (transactional and/or bulk)

What it does: Store reusable subject/body templates; some services require templates to be reviewed/approved.
Why it matters: Consistent formatting, safe content governance, easier localization.
Practical benefit: Product teams can update templates without code deploys (depending on workflow).
Caveats: Template review delays may affect launch timelines; keep a process for approvals and versioning.

6) Sending statistics and delivery reports

What it does: Provides visibility into sends, successes, bounces, and possibly complaints (exact taxonomy depends on product).
Why it matters: You can detect deliverability regressions and operational incidents.
Practical benefit: Dashboards and reports for operations and compliance.
Caveats: Reporting granularity/retention differs by plan; do not assume indefinite storage—verify retention and export options.

7) Bounce handling and suppression (typical capability)

What it does: Tracks bounced recipients and may suppress repeated sends to invalid addresses.
Why it matters: Reduces wasted sends and protects sender reputation.
Practical benefit: Lower bounce rate and fewer deliverability penalties.
Caveats: How suppression works (time window, manual overrides, API access) varies—verify in Direct Mail docs.

8) Access control via RAM

What it does: Restrict who can manage domains/senders/templates and who can send mail via API.
Why it matters: Email sending is security-sensitive; compromised credentials can become a spam incident.
Practical benefit: Least privilege, separation of duties, and safer operations.
Caveats: Ensure you scope policies correctly and rotate AccessKeys.

9) Compliance controls and anti-abuse enforcement

What it does: Enforces quotas, sending limits, and policy compliance (e.g., content restrictions).
Why it matters: Protects platform reputation and reduces abuse.
Practical benefit: More stable sending ecosystem.
Caveats: You still must manage consent, unsubscribes, and content compliance at the application level.

7. Architecture and How It Works

High-level architecture

At a high level, Direct Mail sits between your application and recipient mail servers:

Your app generates an email request (SMTP submission or API call).
Direct Mail authenticates your request (SMTP auth and/or API signature) and checks sender/domain configuration.
Direct Mail queues and delivers mail to recipient domains (e.g., Gmail, Microsoft, corporate mail servers).
Delivery events (success, bounce, etc.) are recorded for reporting.

Request/data/control flow

Control plane:
Console operations to configure:
Verified sender domains and sender addresses
DNS authentication records (SPF/DKIM)
Templates and (if applicable) approvals
Quotas/limits (view and request increases, where supported)
Data plane (sending):
SMTP submission (client → Direct Mail SMTP endpoint) or API request (client → Direct Mail API endpoint)
Direct Mail → recipient MX servers over SMTP (managed by Alibaba Cloud)

Integrations with related services

Common Alibaba Cloud integrations include: – RAM: create a dedicated RAM user/role for sending. – KMS / Secrets Manager: store SMTP/API credentials securely. – ActionTrail: audit management actions (where supported). – CloudMonitor: create operational alarms based on service metrics (where supported) or custom metrics. – ECS/ACK/Function Compute: application runtime environments that call Direct Mail.

If you need async resilience, pair Direct Mail with a queue (not part of Direct Mail itself), such as: – Message Queue for RabbitMQ, Message Queue for Kafka, or other MQ services (choose based on your architecture).
Verify the best-fit Alibaba Cloud messaging product for your region.

Dependency services

Direct Mail depends on: – Domain DNS hosting (Alibaba Cloud DNS or third-party) for SPF/DKIM records. – RAM for secure access management (recommended). – Your network egress path to Direct Mail endpoints (public internet, typically).

Security/authentication model

For console/API management: Alibaba Cloud account/RAM identities.
For sending:
SMTP AUTH credentials (username/password) and TLS (recommended), and/or
API signing with AccessKey ID/Secret (use RAM, not root account).

Networking model

Direct Mail endpoints are generally public service endpoints accessed over the internet.
Your workloads (ECS/containers/on-prem) need outbound access to the SMTP/API endpoint.
If using SMTP, ensure security group/NACL egress rules allow the required ports and TLS.

Monitoring/logging/governance considerations

Track:
send volume (per hour/day)
bounce rate and complaint signals (if available)
template usage and changes
credential usage anomalies
Governance:
separate environments (dev/stage/prod)
separate sender domains or subdomains (e.g., notify.example.com for transactional)
tag RAM users/AccessKeys and maintain a rotation schedule

Simple architecture diagram (Mermaid)

flowchart LR
  A[Application / Backend] -->|SMTP or API| DM[Alibaba Cloud Direct Mail]
  DM -->|Outbound SMTP delivery| MX[Recipient Mail Servers]
  DM --> R[Reports/Stats in Console]
  DNS[Your DNS Provider] -->|SPF/DKIM records| DM

Production-style architecture diagram (Mermaid)

flowchart TB
  subgraph VPC["VPC (Production)"]
    subgraph APP["App Tier"]
      SVC1[User Service]
      SVC2[Billing Service]
      SVC3[Notification Worker]
    end
    Q[(Queue/Topic)]
    SVC1 -->|Email event| Q
    SVC2 -->|Email event| Q
    Q --> SVC3
  end

  subgraph SEC["Security & Ops"]
    KMS[Alibaba Cloud KMS / Secrets Manager]
    RAM[RAM: Least-privilege identities]
    MON[CloudMonitor / Dashboards]
    AUD[ActionTrail (Audit)]
  end

  SVC3 -->|Fetch SMTP/API creds| KMS
  SVC3 -->|SMTP or API| DM[Alibaba Cloud Direct Mail]
  DM -->|Delivery| RCP[Recipients: Gmail/Microsoft/Corporate MX]

  RAM --> DM
  DM --> MON
  DM --> AUD
  DNS[DNS: SPF/DKIM/DMARC] --> DM

8. Prerequisites

Before you begin, confirm these items in your Alibaba Cloud account and in the official Direct Mail documentation.

Account and billing

An active Alibaba Cloud account with billing enabled.
Direct Mail service activated in the intended region (if region selection exists).

Permissions / IAM (RAM)

You should use RAM to avoid using the root account for operational tasks.
Minimum recommended setup:
One RAM administrator (for initial setup).
One RAM user/role for sending (programmatic access), with least-privilege permissions.

Because RAM action names for Direct Mail can differ by API version, use the official RAM policy examples for Direct Mail (verify in docs).

Tools

A workstation with:
Python 3.10+ (or any language you prefer)
Network access to Direct Mail SMTP/API endpoints
Optional: swaks (SMTP test tool) if available on your OS.

Domain and DNS access

A domain you control (e.g., example.com).
Ability to add DNS records:
SPF TXT record
DKIM TXT/CNAME record(s) as required
(Recommended) DMARC TXT record

Region availability

Direct Mail availability can differ by region and the Alibaba Cloud “International” vs “China” site. Confirm supported regions on the product page/docs:
https://www.alibabacloud.com/product/directmail

Quotas/limits

Expect quotas such as:
daily/monthly sending limits
rate limits (emails/second)
limits on verified domains/senders/templates
Exact limits and how to request increases vary. Verify quotas in the Direct Mail console and docs.

Prerequisite services (recommended)

KMS / Secrets Manager for credentials storage (highly recommended for production).
CloudMonitor and ActionTrail for operations and auditing.

9. Pricing / Cost

Alibaba Cloud Direct Mail pricing can vary by region, sending type, and purchase model. Do not assume a single global price list.

Pricing dimensions (common patterns; verify in official pricing)

Typical cost dimensions include: – Number of emails sent (pay-as-you-go per email or per package). – Resource packages (prepaid bundles of email volume). – Possible separate pricing for: – transactional vs bulk/marketing sends – dedicated IPs or enhanced deliverability options (if offered) – value-added reporting/retention/export features (if offered)

Free tier

Some cloud communication products offer a small free quota or trial credits; some do not. Verify Direct Mail free tier/trial availability on the official pricing page.

Cost drivers

Total volume sent per month (primary).
Peak sending bursts (may require quota increases or special plans).
Deliverability-related operational costs:
list hygiene tooling
bounce processing in your application
storing event logs (if you export to OSS/SLS)

Hidden or indirect costs

DNS management (typically low, but operationally important).
Compute costs for email worker services (ECS/containers/serverless).
Monitoring/logging costs if you export data to Log Service (SLS) or store detailed histories.
Support (enterprise support plans).

Network/data transfer implications

SMTP/API requests are small; data transfer cost is usually not a major driver.
Attachments and large HTML content increase payload size; still typically minor compared to email volume pricing.
If you send from ECS, outbound internet bandwidth may have costs depending on your network setup. In most cases, this is secondary.

How to optimize cost

Use templates and avoid unnecessary attachments.
Implement bounce handling to stop sending to invalid addresses.
Segment mail types:
transactional messages via a dedicated subdomain (improves deliverability efficiency)
marketing only to opted-in lists
Avoid repeated retries for permanent failures; backoff and suppress.
Start with a small package (if available) and scale as you validate deliverability.

Example low-cost starter estimate (no fabricated numbers)

A low-cost starter setup is usually: – 1 verified domain/subdomain – 1–3 sender addresses – a few templates – low monthly volume (hundreds to a few thousand emails)

The exact cost depends on your region and whether you use pay-as-you-go or a package. Use official pricing to estimate: – Pricing page (verify current URL): https://www.alibabacloud.com/product/directmail/pricing
– Alibaba Cloud Pricing Calculator: https://www.alibabacloud.com/pricing/calculator

Example production cost considerations

For production at scale, plan for: – higher volume tier/package – quota increase process time – optional deliverability enhancements (if offered) – monitoring and analytics pipeline costs – operational staffing time for managing bounces, abuse reports, and domain reputation

10. Step-by-Step Hands-On Tutorial

This lab walks through a practical, low-risk workflow: authenticate a domain/sender and send a test transactional email using SMTP from a small Python script.

Because Direct Mail workflows can differ by region/account, treat console labels and exact navigation as “representative.” If any menu name differs, follow the closest equivalent in your Direct Mail console and verify against official docs.

Objective

Configure Direct Mail with a verified sender (domain and/or address).
Publish SPF/DKIM DNS records for email authentication.
Send a test email via SMTP securely.
Validate delivery and view sending records.
Clean up resources.

Lab Overview

You will: 1. Activate Direct Mail and choose a sending region (if required). 2. Verify a sender domain (recommended: use a subdomain like notify.example.com). 3. Create a sender address and (if needed) a template. 4. Create or retrieve SMTP credentials and SMTP endpoint details. 5. Send a test email with Python. 6. Validate in Direct Mail reporting and your recipient mailbox. 7. Clean up.

Step 1: Activate Direct Mail and confirm region/endpoints

Log in to Alibaba Cloud console.
Search for Direct Mail and open the service.
If prompted: – Activate the service – Select a region for sending (if the product is region-scoped)

Expected outcome:
You can access the Direct Mail console and view configuration pages (domains/senders/templates) and the available sending endpoints.

Verification checklist: – You can see a page to manage sender domains and/or sender addresses. – You can find documentation in-console for SMTP endpoint/ports or API endpoints.

Step 2: Choose a sending domain strategy (best practice)

For transactional emails, it is best to send from a dedicated subdomain rather than your main corporate domain.

Example: – Corporate: example.com – Transactional sender: notify.example.com – Marketing sender (if needed and compliant): news.example.com

Why: This isolates reputation and reduces risk that marketing deliverability issues affect critical transactional mail.

Expected outcome:
You have selected a subdomain to use for this lab.

Step 3: Add and verify a sender domain in Direct Mail

In the Direct Mail console: 1. Go to Sender Domains (or similar). 2. Click Add Domain (or similar). 3. Enter your domain/subdomain (e.g., notify.example.com). 4. Direct Mail will display DNS records to add, typically including: – SPF TXT record – DKIM record (TXT or CNAME depending on implementation)

Go to your DNS provider (Alibaba Cloud DNS or external) and add the records exactly as shown.

Expected outcome:
DNS records are published and Direct Mail shows the domain as “verified” after DNS propagation.

Verification steps: – Use a DNS lookup tool to confirm records exist: – nslookup -type=txt notify.example.com – dig TXT notify.example.com – In Direct Mail console, click Verify / Check domain status (button name varies).

Common timing note:
DNS propagation can take minutes to hours depending on TTL and DNS provider.

Step 4: Publish a DMARC record (recommended)

Direct Mail typically guides SPF/DKIM, but DMARC is usually managed directly in DNS.

Add a DMARC TXT record for your domain/subdomain, for example:

Host/Name: _dmarc.notify.example.com
Type: TXT
Value: v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com; adkim=s; aspf=s

Start with p=none to monitor without enforcing.
Move to quarantine or reject after you validate authentication and legitimate sending sources.

Expected outcome:
Your domain has a DMARC policy, improving anti-spoofing posture.

Verification: – dig TXT _dmarc.notify.example.com

Step 5: Create a sender address

In Direct Mail console: 1. Go to Sender Addresses (or similar). 2. Click Create Sender. 3. Choose the verified domain (e.g., notify.example.com). 4. Create a sender such as no-reply@notify.example.com or support@notify.example.com.

Some services require sender address verification or review; follow the prompts.

Expected outcome:
A sender address exists and is in an “available/verified/approved” state.

Step 6: Create an email template (if required by your account/plan)

In some Direct Mail configurations, you must send using pre-approved templates.

Go to Templates.
Create a template named welcome-test.
Set: – Subject: Direct Mail test - ${date} (template variables vary; verify supported syntax) – Body: a simple text or HTML content

If the console indicates “Pending approval,” wait for approval before sending.

Expected outcome:
You have a usable template (or confirmation that templates are optional for SMTP sending).

Step 7: Create SMTP credentials and find SMTP endpoint settings

Direct Mail SMTP usually requires: – SMTP username – SMTP password – SMTP endpoint hostname – Port(s) and TLS mode (STARTTLS or SMTPS)

In the Direct Mail console, locate SMTP Settings / Access Settings / Endpoints (naming varies) and record: – Endpoint hostname – Port for TLS (recommended) – Authentication method

Important:
If you are sending from Alibaba Cloud ECS, outbound port 25 is commonly restricted to prevent abuse. Prefer the TLS ports documented by Direct Mail (often 465 or 587) or use the HTTPS API. Verify which ports are supported for Direct Mail in your region.

Expected outcome:
You have the correct SMTP connection details from the official console/docs.

Step 8: Send a test email using Python (SMTP)

On your workstation (or a controlled server), create a file send_dm_smtp.py:

import os
import ssl
import smtplib
from email.message import EmailMessage

SMTP_HOST = os.environ["DM_SMTP_HOST"]
SMTP_PORT = int(os.environ.get("DM_SMTP_PORT", "465"))  # verify supported port
SMTP_USER = os.environ["DM_SMTP_USER"]
SMTP_PASS = os.environ["DM_SMTP_PASS"]

MAIL_FROM = os.environ["DM_MAIL_FROM"]  # e.g., "No Reply <no-reply@notify.example.com>"
MAIL_TO = os.environ["DM_MAIL_TO"]      # e.g., "your.name@yourcompany.com"

msg = EmailMessage()
msg["From"] = MAIL_FROM
msg["To"] = MAIL_TO
msg["Subject"] = "Alibaba Cloud Direct Mail SMTP test"
msg.set_content("Hello! This is a test email sent through Alibaba Cloud Direct Mail via SMTP.")

context = ssl.create_default_context()

# Prefer SMTPS (implicit TLS) when supported (commonly port 465).
with smtplib.SMTP_SSL(SMTP_HOST, SMTP_PORT, context=context, timeout=20) as server:
    server.login(SMTP_USER, SMTP_PASS)
    server.send_message(msg)

print("Sent.")

Export environment variables (example):

export DM_SMTP_HOST="YOUR_SMTP_ENDPOINT_FROM_CONSOLE"
export DM_SMTP_PORT="465"  # verify in docs/console
export DM_SMTP_USER="YOUR_SMTP_USERNAME"
export DM_SMTP_PASS="YOUR_SMTP_PASSWORD"
export DM_MAIL_FROM="No Reply <no-reply@notify.example.com>"
export DM_MAIL_TO="recipient@example.com"
python3 send_dm_smtp.py

Expected outcome:
The script prints Sent. and the recipient receives the email.

Step 9: Validate in the recipient mailbox and check authentication headers

In the recipient mailbox: 1. Open the message. 2. View message headers and look for authentication results: – spf=pass (or similar) – dkim=pass – dmarc=pass (if DMARC is configured and aligned)

Expected outcome:
SPF and DKIM pass. DMARC may show pass if configured correctly.

If authentication fails, see Troubleshooting below.

Step 10: Validate in Direct Mail console reporting

In the Direct Mail console, open Sending Records, Logs, or Statistics (name varies): – Confirm the message appears in sending history. – Check status: delivered/sent/bounced.

Expected outcome:
You can correlate your test send with a record in the Direct Mail console.

Validation

Use this checklist: – Domain is verified in Direct Mail. – Sender address is active/approved. – SPF/DKIM are published and pass in message headers. – Test email delivered to recipient. – Sending record exists in Direct Mail reporting.

Troubleshooting

Issue: “Authentication failed” (SMTP login)

Causes – Wrong SMTP username/password – Using AccessKey instead of SMTP password (or vice versa) – Account restrictions or SMTP not enabled

Fix – Regenerate/retrieve SMTP credentials from Direct Mail console. – Confirm you are using the correct endpoint for your region. – If using RAM users, verify required permissions if SMTP is tied to API identity (implementation varies).

Issue: Connection timeout / cannot reach SMTP endpoint

Causes – Network egress blocked (security group, corporate firewall) – Wrong hostname/port – Outbound SMTP restrictions (especially port 25)

Fix – Use the TLS port documented by Direct Mail (often 465/587—verify). – Test connectivity: bash nc -vz YOUR_SMTP_ENDPOINT 465 – If sending from ECS, check outbound rules and any provider restrictions. Consider using Direct Mail HTTPS API if SMTP ports are blocked.

Issue: Domain verification stuck “pending”

Causes – DNS record value mismatch – Record created in wrong zone (e.g., added to example.com instead of notify.example.com) – TTL/propagation delays

Fix – Copy/paste records exactly from Direct Mail console. – Confirm record names (host field) match what Direct Mail expects. – Use dig/nslookup from public DNS resolvers to confirm.

Issue: SPF fail

Causes – Missing or incorrect SPF include – Multiple SPF TXT records (should be one) – Too many DNS lookups

Fix – Use a single SPF record for the sending domain. – Ensure it includes Direct Mail’s required mechanism (as shown in console instructions). – Keep SPF under lookup limits.

Issue: DKIM fail

Causes – DKIM record published incorrectly (wrong selector) – Old DKIM key cached in recipient – Sending from a different domain than the verified one

Fix – Recheck selector and record type (TXT vs CNAME). – Wait for DNS propagation, then resend. – Ensure the “From” address domain matches the verified domain/subdomain.

Issue: Email delivered to spam

Causes – New domain with no reputation – Missing DMARC – Content triggers spam filters (URL shorteners, misleading subject lines) – High bounce rate or list quality issues

Fix – Start with transactional messages to warm reputation. – Add DMARC with monitoring and progress to enforcement when ready. – Improve content quality and add unsubscribe for marketing messages. – Stop sending to invalid addresses (bounce management).

Cleanup

To avoid leaving unnecessary resources: 1. Delete the test sender address (if not needed). 2. Delete the test template. 3. If this was a lab-only subdomain, you may remove its DNS records after you finish (only if you will not use it again). 4. Rotate/revoke SMTP credentials and AccessKeys created for the lab. 5. If you created a dedicated RAM user for testing, remove or disable it.

Expected outcome:
No unused credentials remain, and your account is not left with unnecessary sending identities.

11. Best Practices

Architecture best practices

Use a queue-based email worker for reliability:
App emits “send email” events
Worker batches/retries safely
Separate domains/subdomains by mail type:
notify.example.com for transactional
news.example.com for marketing
Design idempotency:
Ensure a retry does not send duplicate emails (store a message idempotency key).

IAM/security best practices

Use RAM users/roles with least privilege for sending.
Never embed SMTP/API credentials in code.
Store secrets in KMS/Secrets Manager and rotate regularly.
Require MFA for human console users and restrict console permissions.

Cost best practices

Suppress repeated sends to bounced addresses.
Keep templates lean; avoid heavy attachments.
Monitor volume by environment; prevent dev/test from emailing real customers.

Performance best practices

Use concurrency control in your worker:
respect Direct Mail rate limits
implement backoff
Prefer API sending if SMTP throughput limits or port restrictions are a concern.

Reliability best practices

Implement retries with exponential backoff for transient errors.
Classify failures:
transient (retry)
permanent (suppress)
Keep a dead-letter queue for messages that fail repeatedly.

Operations best practices

Build dashboards:
send volume
bounce rate
auth failures
template errors
Alarm on anomalies (sudden spike in bounces, sudden drop in sends).
Maintain a runbook for:
DNS changes
credential rotation
template approvals
quota increase requests

Governance/tagging/naming best practices

Use consistent naming:
prod-notify-domain, stage-notify-domain
tmpl-prod-password-reset-v3
Tag RAM users, keys, and any related compute resources by:
environment
owner team
application name
cost center

12. Security Considerations

Identity and access model

Use RAM to:
restrict who can add/verify domains
restrict who can create/approve templates
restrict who can send via API (if applicable)
Create separate identities for:
CI/CD deployments
email sending runtime
admin operations

Encryption

Use TLS for SMTP:
SMTPS (implicit TLS) or STARTTLS (verify supported modes)
For API, use HTTPS.
Encrypt secrets at rest in KMS/Secrets Manager.

Network exposure

Direct Mail endpoints are typically public. Reduce exposure by:
limiting which workloads can access the SMTP/API endpoints (egress controls)
restricting secrets access to only the email worker
If your environment blocks SMTP ports, prefer HTTPS API.

Secrets handling

Store SMTP/API credentials in a secret manager.
Rotate keys on a defined schedule and immediately on suspected compromise.
Do not share a single SMTP credential across many unrelated apps; isolate by application/environment.

Audit/logging

Enable and review ActionTrail for administrative changes (where supported).
Log send requests in your application with:
correlation IDs
recipient domain (avoid logging full recipient if privacy rules require minimization)
template ID/version
outcome status

Compliance considerations

Obtain consent for marketing emails and include an unsubscribe mechanism.
Follow content and anti-abuse policies.
Ensure you do not email sensitive personal data unless policy and regulations allow it, and consider encryption or secure portals instead of including sensitive data in the email body.

Common security mistakes

Using root account AccessKeys for sending.
Sending from unverified domains (spoofing risk).
Not implementing unsubscribe for marketing emails.
Logging full email content and recipients in plaintext logs.

Secure deployment recommendations

Separate transactional vs marketing domains.
Enforce DMARC with gradual rollout.
Implement recipient suppression lists and bounce processing.
Use least-privilege RAM policies and secret rotation.

13. Limitations and Gotchas

These are common real-world issues; confirm exact behavior in official Direct Mail docs and your account.

DNS verification delays can block launch timelines.
Outbound SMTP restrictions: port 25 is frequently blocked; rely on documented TLS ports or API sending.
Template approvals (if required) introduce lead time; plan versioning and approvals ahead of launches.
Quotas and rate limits may be lower for new accounts; request increases early.
Deliverability is not guaranteed: authentication helps, but content, list quality, and domain reputation matter.
Suppression behavior (bounces/complaints) may limit sends; understand how to remediate invalid addresses.
Multi-region behavior may be inconsistent (domain verification vs sending endpoints). Verify whether domains and templates are global or region-specific.
From/Reply-To constraints: some services restrict unverified “From” addresses even if the domain is verified; follow console rules.
Attachment limits: many providers limit size; keep attachments minimal or use secure download links (OSS with signed URLs, for example).
Compliance requirements: sending unsolicited bulk email can lead to account restrictions or suspension.

14. Comparison with Alternatives

Direct Mail is one option in a broader email/communication landscape.

Alternatives in Alibaba Cloud

Alibaba Cloud Enterprise Mail (hosted mailboxes): for human email accounts, not application email delivery.
Other messaging channels in Alibaba Cloud (SMS, voice, chat integrations) may exist under communication categories; choose based on user experience needs. Do not assume feature parity—verify per product.

Alternatives in other clouds / vendors

AWS Simple Email Service (SES)
Azure Communication Services – Email (availability varies by region)
Google: typically third-party or partner solutions; Google Cloud does not have a direct equivalent to SES in all regions—verify current offerings.
SendGrid / Mailgun / Postmark (third-party email providers)
Self-managed Postfix/Exim on ECS (highest control, highest ops burden)

Comparison table

Option	Best For	Strengths	Weaknesses	When to Choose
Alibaba Cloud Direct Mail	Apps on Alibaba Cloud needing outbound email	Managed sending, domain verification, templates/reports (varies)	Quotas, compliance enforcement, region/account differences	You run workloads on Alibaba Cloud and want managed outbound email
Alibaba Cloud Enterprise Mail	Human mailboxes (employees)	Mailbox features, admin controls	Not an app email API; not for bulk transactional delivery	You need corporate mailboxes, not programmatic sending
AWS SES	Global apps needing outbound email	Strong API ecosystem, event publishing options	Different cloud ecosystem; account warm-up/limits	Your stack is on AWS or you need SES-specific integrations
SendGrid/Mailgun/Postmark	Product teams wanting email + tooling	Rich deliverability tooling, list mgmt (varies), analytics	Vendor lock-in, external provider risk, cost at scale	You want advanced email tooling beyond basic sending
Self-managed Postfix/Exim	Specialized requirements, full control	Full customization, direct control over IPs	High ops burden, deliverability challenges, abuse risk	You have a mail ops team and strict custom requirements

15. Real-World Example

Enterprise example: Multi-service SaaS platform with compliance controls

Problem:
An enterprise SaaS platform must send transactional emails (MFA, password reset, invoices) reliably, with strong auditing and strict access controls. Marketing emails must be separated and sent only with explicit consent.

Proposed architecture: – Two subdomains: – notify.company.com for transactional – news.company.com for marketing (optional) – Direct Mail configured with SPF/DKIM for both domains. – A shared Notification Service: – receives events from multiple services via a queue – enforces per-template policies (e.g., only security team can modify MFA templates) – Secrets stored in KMS/Secrets Manager. – Central dashboards for volume/bounces; ActionTrail auditing for configuration changes.

Why Direct Mail was chosen: – Tight integration with Alibaba Cloud IAM (RAM) and operational environment. – Managed sending infrastructure reduces mail server operations. – Domain authentication and reporting support deliverability management.

Expected outcomes: – Lower incident rate from mail delivery issues. – Improved authentication posture (SPF/DKIM/DMARC). – Clear separation of duties and auditability for email changes.

Startup/small-team example: MVP transactional email for a mobile app

Problem:
A small team needs password reset and verification emails quickly, without running mail servers.

Proposed architecture: – One subdomain notify.startup.io – Direct Mail configured with SPF/DKIM – Application sends via SMTP (or API) directly from backend – Basic logging for send attempts; alerts on SMTP failures

Why Direct Mail was chosen: – Faster than self-hosting and easier than managing deliverability alone. – Fits within Alibaba Cloud project stack and billing.

Expected outcomes: – MVP emails working within a day (DNS propagation permitting). – A scalable path to add templates, monitoring, and bounce suppression later.

16. FAQ

1) Is Alibaba Cloud Direct Mail the same as Alibaba Cloud Enterprise Mail?
No. Direct Mail is for programmatic outbound sending from apps; Enterprise Mail is for hosted mailboxes for people.

2) Do I need my own domain to use Direct Mail?
For production-grade sending and deliverability, yes—using your own domain/subdomain with SPF/DKIM is strongly recommended and often required.

3) What’s the best practice domain setup?
Use a subdomain like notify.example.com for transactional and keep it separate from marketing domains.

4) Does Direct Mail support SMTP?
Typically yes. Confirm the SMTP endpoints/ports for your region in the Direct Mail console/docs.

5) Does Direct Mail support an HTTPS API?
Many cloud email services do. Confirm Direct Mail API availability and the current API version in official docs for your region.

6) Why is my domain verification pending for a long time?
Usually due to DNS propagation delays or incorrect record names/values. Recheck the record exactly as provided in the console.

7) Why do my emails go to spam even though SPF/DKIM pass?
Authentication is necessary but not sufficient. Content, sending patterns, domain age, and list quality affect inbox placement.

8) Can I send marketing emails with Direct Mail?
Only if you comply with laws and policies (consent, unsubscribe, accurate headers). Verify Direct Mail policy constraints and account requirements.

9) How do I implement unsubscribe?
Direct Mail may not manage lists/unsubscribes automatically. Typically you include an unsubscribe link to your app, store opt-out state, and stop sending marketing emails to opted-out users.

10) What are bounces and why should I care?
Bounces are delivery failures. High bounce rates harm reputation and can lead to sending restrictions.

11) Should I send attachments?
Minimize attachments. Prefer secure download links (for example, signed URLs). Large attachments increase delivery failures.

12) How do I secure SMTP credentials?
Store them in KMS/Secrets Manager, restrict access to only the sending workload, and rotate regularly.

13) Can I use Direct Mail from on-premises?
Usually yes if your network can reach the public SMTP/API endpoints and you can secure credentials appropriately.

14) Is Direct Mail region-specific?
Often yes for endpoints and some resources. Confirm in console/docs whether domains/templates are shared across regions.

15) How do I monitor Direct Mail in production?
Use Direct Mail reporting plus application logs, and integrate with CloudMonitor/ActionTrail where supported. Alarm on bounce spikes and send failures.

16) What if port 25 is blocked from my servers?
Use Direct Mail’s supported TLS ports (verify which) or use the HTTPS API sending method.

17) Can I “send as” multiple brands?
Yes if you can verify each sender domain and comply with brand/legal requirements. Use separate subdomains and credentials per brand/environment.

17. Top Online Resources to Learn Direct Mail

Official URLs can change. If a link redirects, use the Alibaba Cloud Help Center search for “Direct Mail”.

Resource Type	Name	Why It Is Useful
Official product page	Alibaba Cloud Direct Mail	Service overview, region availability entry point: https://www.alibabacloud.com/product/directmail
Official documentation (Help Center)	Direct Mail documentation (search)	Safest way to find current docs pages: https://www.alibabacloud.com/help/en/search?keyword=Direct%20Mail
Official pricing page	Direct Mail pricing	Current price model by region/SKU: https://www.alibabacloud.com/product/directmail/pricing
Pricing calculator	Alibaba Cloud Pricing Calculator	Estimate costs across services: https://www.alibabacloud.com/pricing/calculator
IAM/RAM documentation	RAM (Resource Access Management) docs	How to create least-privilege identities: https://www.alibabacloud.com/help/en/ram
Audit logging	ActionTrail docs	Track admin actions for governance: https://www.alibabacloud.com/help/en/actiontrail
Secrets management	KMS / Secrets Manager docs	Secure credential storage and rotation: https://www.alibabacloud.com/help/en/key-management-service
DNS guidance	Alibaba Cloud DNS docs	Publish SPF/DKIM/DMARC correctly: https://www.alibabacloud.com/help/en/alibaba-cloud-dns
Developer tooling	Alibaba Cloud OpenAPI Explorer	Explore current Direct Mail API (if exposed): https://api.alibabacloud.com/
Community learning	Alibaba Cloud blog / community search	Practical patterns and troubleshooting (validate against docs): https://www.alibabacloud.com/blog

18. Training and Certification Providers

Institute	Suitable Audience	Likely Learning Focus	Mode	Website URL
DevOpsSchool.com	DevOps engineers, SREs, platform teams, developers	Cloud operations, DevOps practices, integrations and automation	Check website	https://www.devopsschool.com/
ScmGalaxy.com	Beginners to intermediate engineers	DevOps fundamentals, SCM, CI/CD, cloud basics	Check website	https://www.scmgalaxy.com/
CLoudOpsNow.in	Cloud/ops practitioners	Cloud operations and operational readiness	Check website	https://www.cloudopsnow.in/
SreSchool.com	SREs, operations, reliability engineers	SRE practices, monitoring, incident response	Check website	https://www.sreschool.com/
AiOpsSchool.com	Ops teams exploring AIOps	Automation, monitoring, operational analytics	Check website	https://www.aiopsschool.com/

19. Top Trainers

Platform/Site	Likely Specialization	Suitable Audience	Website URL
RajeshKumar.xyz	DevOps/cloud training content (verify offerings)	Engineers seeking trainer-led guidance	https://www.rajeshkumar.xyz/
devopstrainer.in	DevOps training and mentoring (verify offerings)	Beginners to intermediate DevOps learners	https://www.devopstrainer.in/
devopsfreelancer.com	Freelance DevOps guidance (verify services)	Teams needing short-term expertise	https://www.devopsfreelancer.com/
devopssupport.in	DevOps support and training (verify services)	Teams needing operational support	https://www.devopssupport.in/

20. Top Consulting Companies

Company	Likely Service Area	Where They May Help	Consulting Use Case Examples	Website URL
cotocus.com	Cloud/DevOps consulting (verify exact portfolio)	Architecture, delivery pipelines, operations	Direct Mail integration patterns, secure credential handling, monitoring setup	https://cotocus.com/
DevOpsSchool.com	DevOps consulting and enablement (verify offerings)	DevOps transformation, automation, platform engineering	Building notification services, operational runbooks, CI/CD for templates and config	https://www.devopsschool.com/
DEVOPSCONSULTING.IN	DevOps consulting (verify offerings)	Cloud operations and reliability	Implementing least-privilege RAM, secret rotation, and observability for email sending	https://www.devopsconsulting.in/

21. Career and Learning Roadmap

What to learn before Direct Mail

Email basics: SMTP, MIME, common headers
DNS fundamentals: TXT records, propagation, TTL
Email authentication: SPF, DKIM, DMARC concepts
Alibaba Cloud fundamentals:
RAM identities and AccessKeys
basic networking/egress for ECS or containers
Secure secrets handling (KMS/Secrets Manager concepts)

What to learn after Direct Mail

Deliverability engineering:
bounce classification and suppression
domain reputation management
content best practices
Event-driven architecture:
queues, retries, dead-letter queues
Observability:
building SLOs for “email delivery success”
anomaly detection on bounce spikes
Compliance workflows:
consent management
unsubscribe and preference centers

Job roles that use it

Backend engineer (notification/email services)
DevOps / platform engineer (shared messaging platform)
SRE (reliability and monitoring)
Security engineer (credential and domain protection)
Solution architect (communication architecture)

Certification path (if available)

Alibaba Cloud certification availability changes. Check Alibaba Cloud certification pages for current tracks and whether they cover communication services. If no Direct Mail-specific certification exists, pursue: – Alibaba Cloud general architect/associate certifications (verify current names) – Security and DevOps certifications relevant to your stack

Project ideas for practice

Build an “Email Notification Service”:
REST endpoint accepts message requests
stores jobs in a queue
worker sends via Direct Mail
stores results and exposes metrics
Create a deliverability dashboard:
daily send counts
bounce rate
top failing domains
Implement a preference center:
opt-in/out
topic-based subscriptions
transactional emails always on (policy-based)

22. Glossary

Direct Mail: Alibaba Cloud service for outbound email sending for applications.
SMTP: Simple Mail Transfer Protocol; standard protocol for sending email.
SPF: Sender Policy Framework; DNS TXT record authorizing which servers/services can send mail for a domain.
DKIM: DomainKeys Identified Mail; cryptographic signing of email to prove authenticity.
DMARC: Policy layer using SPF/DKIM alignment; tells receivers how to handle unauthenticated mail and where to send reports.
Bounce: Email delivery failure. Can be transient (soft) or permanent (hard).
Suppression list: List of recipients you should not send to (bounces, complaints, opt-outs).
Template: Predefined email content used for consistent sending; may require approval.
RAM: Resource Access Management; Alibaba Cloud identity and access control.
AccessKey: Programmatic credential (ID/Secret) used to sign API requests.
TLS: Transport Layer Security; encrypts SMTP/API connections.
Deliverability: Likelihood of email reaching the inbox rather than spam or being blocked.
Idempotency: Ability to retry operations without causing duplicates.

23. Summary

Alibaba Cloud Direct Mail is an Enterprise Services & Cloud Communication service for sending outbound emails from your applications using SMTP and/or APIs (verify what’s enabled in your region/account). It matters because application email is operationally critical—verification, password resets, receipts—and self-hosting mail infrastructure is expensive and risky from a deliverability and security perspective.

Direct Mail fits best when you need managed outbound email with domain authentication (SPF/DKIM), templates, and reporting, integrated into Alibaba Cloud with RAM-based access control and operational tooling. Cost is primarily driven by email volume and any optional add-ons (pricing varies by region/SKU; use the official pricing page and calculator). Security success depends on least-privilege IAM, proper secret storage/rotation, and strong domain authentication (including DMARC).

Use Direct Mail when you want reliable transactional (and compliant bulk) email sending without running mail servers. Next step: implement a queue-based email worker, add monitoring for bounce spikes, and harden governance around templates and credentials.

Category