Skip to content
Deepak Gupta markCIAM Compass
authentication

Magic link and OTP email deliverability: do's and don'ts

Updated 2026-05-07

Magic-link deliverability is the unglamorous half of the magic-link UX. Users blame the auth flow when emails don't arrive; the actual issue is almost always email infrastructure.

For broader passwordless context, see the passwordless authentication guide and the magic links vs OTP guide.

Do

  • Configure SPF, DKIM, and DMARC for the sending domain

    Email providers (Gmail, Outlook, Apple Mail) check sender authentication. Missing or misconfigured records send your transactional mail to spam or reject it entirely.

    Google's 2024 sender requirements made SPF / DKIM / DMARC effectively mandatory for bulk senders to inboxes. Postmark and SendGrid both publish deliverability data showing 30%+ improvement in inbox placement after correct DNS configuration.

  • Use a dedicated sending domain or subdomain

    Mixing transactional sends with marketing or other transactional volume on the same domain blends reputation. A dedicated subdomain (auth.example.com or mail.example.com) isolates the auth-mail reputation.

    Major ESP recommendations (Postmark, SendGrid, AWS SES) all suggest dedicated subdomains for transactional auth mail. The reputation isolation is meaningful at scale.

  • Send via a transactional ESP, not your application servers

    Application-server SMTP has weak reputation, lacks bounce handling, and doesn't manage retries cleanly. Transactional ESPs (Postmark, SendGrid, AWS SES, Resend) handle the deliverability infrastructure.

    Standard cloud-native architecture pattern. Production magic-link deployments at scale all use dedicated ESP infrastructure; rolling your own SMTP for production auth mail is the antipattern.

  • Embed the OTP code AND the magic link in the same email

    Mobile users prefer copying the OTP; desktop users prefer clicking the link. Sending both reduces user friction across device contexts.

    UX research at major B2C CIAM (Stytch, Auth0, Clerk) consistently shows dual-format auth emails outperform single-format on completion rate.

  • Monitor inbox-placement and bounce rates per ESP

    Deliverability degrades silently. A 3% bounce rate today and a 15% rate next quarter is invisible without monitoring.

    ESP dashboards (Postmark, SendGrid, AWS SES) expose inbox placement and bounce metrics. Production-grade auth deployments review them weekly during the first quarter post-launch and monthly after.

Don't

  • Don't send magic links over HTTP

    Magic links carry single-use auth tokens. Over HTTP they leak in plaintext via any intermediary. Always HTTPS, always Secure cookies on the destination.

    OWASP Authentication Cheat Sheet. Multiple production CVEs have traced to magic-link-over-HTTP patterns specifically.

  • Don't make magic links last longer than 15 minutes

    Long-lived magic links sit in inboxes, readable by anyone with email access. 5–15 minute expiry bounds the exposure window.

    OAuth 2.0 Security BCP and OWASP both recommend short-lived single-use auth tokens. Modern CIAM defaults to 15 minutes for magic links.

  • Don't allow magic-link reuse

    Single-use is the entire point. A reusable link is a long-lived credential in plaintext in an email.

    Specification across CIAM platforms: magic links are one-time-use by default. The first click consumes the token; subsequent clicks fail.

  • Don't bypass MFA via magic link

    If the user has MFA enrolled, the magic link should be one of multiple factors, not a complete authentication. Bypassing MFA on magic-link login is a real bypass class.

    OWASP recommendations and best practices in modern CIAM. Magic links replace passwords; they don't replace second factors.

Last updated 2026-05-07.