This policy describes how catchotp ("we") sends email from catchotp.com — not the inbound email we receive on customers' behalf,
which is governed by our Acceptable Use Policy. We publish this
policy because operating a high-trust email-receiving service obliges us to be a
good citizen on the sending side too: AWS SES production-access reviewers, mailbox
providers, and security-conscious customers all need to know our outbound posture.
1. What email we send and why
We send only two classes of email to humans:
- Transactional: one-time passcodes (OTPs), sign-up and sign-in confirmations, billing receipts and invoices, password resets, security and account-state notifications (e.g. suspension notices), and webhook-delivery failure alerts. Transactional email is sent strictly in response to a user action or to a service event affecting that user's account; we do not send transactional email to recipients who are not active customers, and we do not use transactional channels to deliver marketing content.
- Marketing — opt-in only: a low-volume newsletter covering product updates, deep-dives on email infrastructure, and occasional changelog summaries. Recipients must opt in by submitting the newsletter form on catchotp.com (or one of the embedded forms on our blog and footer). Double opt-in confirmation is in plan: every new subscriber receives a confirmation email with a magic link, and only confirmed addresses are eligible for marketing sends. We do not buy, rent, scrape, or otherwise acquire third-party mailing lists.
We never auto-enroll customers into marketing email when they sign up. Creating a catchotp account does not subscribe you to anything beyond the transactional messages required to operate your account.
2. Bounce handling
Every outbound message is dispatched through Amazon SES with our SES v2 Configuration Set attached. The Configuration Set forwards bounce events to a dedicated suppression-handler Lambda that processes them in real time.
Hard bounces are honored immediately and permanently. When a recipient address produces a hard bounce (the recipient does not exist, the domain is invalid, the recipient explicitly rejected our mail, or the mailbox was permanently retired), the address is added to our suppression list within seconds of the SES bounce notification arriving. Hard-bounced addresses will not receive any further email from catchotp regardless of source — transactional sends, newsletter sends, and admin notifications all check the suppression list before transmission. We do not retry hard bounces.
Soft bounces (temporary failures: mailbox full, server unavailable, greylisting) are not added to the suppression list on the first occurrence; SES handles short-term retry on our behalf. A persistently soft-bouncing address (more than five consecutive soft bounces over a 14-day window) is reclassified as hard and suppressed.
3. Complaint handling
A complaint is the strongest possible signal that a recipient does not want our email: it occurs when the recipient marks one of our messages as spam in their mail client and the mailbox provider forwards a feedback-loop notification to SES.
Complaints result in a permanent suppression that overrides even transactional sends. The complaining recipient's address is added to the suppression list with the highest precedence; subsequent transactional sends (including OTPs and billing receipts) are blocked at the suppression check, and the recipient is required to contact billing@catchotp.com to re-enable email delivery. We do not silently re-engage complainants — the suppression survives indefinitely until the recipient requests its removal in writing. We treat complaint data as a first-class signal in our reputation reviews.
4. Unsubscribe
Every newsletter email contains a one-click unsubscribe link in the footer, backed by an HMAC-signed token tied to the recipient's address. Clicking the link removes the address from the marketing list within seconds; no login, confirmation, or further interaction is required.
Transactional email is not unsubscribable from the recipient side because it only fires in response to user action (e.g. requesting an OTP, completing a purchase) and is not promotional in nature. Customers who wish to stop receiving transactional email entirely should close their account, after which all future transactional triggers are disabled. Account closure is available from the customer dashboard or by emailing billing@catchotp.com.
5. Authentication
We sign every outbound message and publish strong sender-authentication records
for catchotp.com:
- SPF: catchotp.com publishes a Sender Policy Framework record authorizing Amazon SES (and only SES) to send mail on the domain's behalf.
- DKIM: every outbound message is DKIM-signed by SES under a
key whose public half is published in DNS under
catchotp.com. Receivers can verify each message's integrity and authenticate the sending domain cryptographically. - DMARC: we publish a DMARC policy at
_dmarc.catchotp.comthat enforces alignment between the visibleFromheader and the SPF/DKIM-authenticated domain. Aggregate and forensic reports are routed to a dedicated mailbox we monitor.
6. Reputation pledge
We commit to operate well below SES's account-level enforcement thresholds and to treat reputation as a first-class operational concern, not an afterthought:
- Bounce rate < 1% on rolling 24-hour windows. SES auto-pause kicks in at 5% (warning) / 10% (paused). We page our on-call founder when the rolling window crosses 50% of either threshold (i.e. 2.5% / 5%).
- Complaint rate < 0.05% on rolling 24-hour windows. SES auto-pause kicks in at 0.1% (warning) / 0.5% (paused). We page our on-call founder at 50% of either threshold (i.e. 0.05% / 0.25%).
CloudWatch alarms drive the paging path. Every alarm runbook ends in a pull-back action: pausing marketing sends, pausing high-bounce-rate flows, and re-confirming the recipient list before resuming. These are not aspirational targets — they are the operating envelope our deploy pipeline enforces.
7. Reporting abuse
If you believe you have received unsolicited email from a catchotp domain, or that a catchotp inbox is being used to abuse a third-party service, please report it to abuse@catchotp.com. Include the full message headers and (where applicable) the recipient address and approximate timestamp. We acknowledge abuse reports within 24 hours on EU business days and follow up with the disposition within five (5) business days.
Security vulnerabilities should be reported separately to security@catchotp.com; see our security page and Acceptable Use Policy for the disclosure norms we follow.
8. Contact
Questions about this policy? Email legal@catchotp.com. Bounce/complaint suppression list inquiries go to billing@catchotp.com; abuse reports go to abuse@catchotp.com.