Safety defaults
EmailDeliveryControl.sending_enableddefaults tofalsein PostgreSQL.EMAIL_MARKETING_ALLOW_REAL_RECIPIENTSdefaults tofalse.- The worker claims no recipients unless both controls permit delivery.
- Test-only mode claims only normalized addresses in
EMAIL_MARKETING_TEST_RECIPIENTS. - Do not reuse verification SMTP credentials or send to real users during rollout.
Tencent SES setup
The sender identity is mailer.acedata.cloud in ap-hongkong. DNS must pass all four Tencent checks:
- MX for
mailer.acedata.cloud - SPF TXT for
mailer.acedata.cloud - DKIM TXT for
qcloudhk1024._domainkey.mailer.acedata.cloud - DMARC TXT for
_dmarc.mailer.acedata.cloud
The sender address is news@mailer.acedata.cloud. Campaign templates are created from locked campaign content in the admin console and must be approved by Tencent before scheduling.
Event callback
Tencent SES does not expose callback configuration through its public API. Configure it in the Tencent SES console only after the backend route is deployed.
Retrieve the callback URL without committing or copying the secret into source files:
1 |
KUBECONFIG=/path/to/hk-kubeconfig |
Register that HTTPS URL for SES delivery events. Then mark the registration complete and restart only the affected workloads:
1 |
kubectl --kubeconfig "$KUBECONFIG" -n acedatacloud patch secret email-marketing --type merge \ |
Scheduling fails closed until provider health reports the identity enabled, callback registered, and every campaign template approved.
Seed rollout
- Keep
EMAIL_MARKETING_ALLOW_REAL_RECIPIENTS=false. - Keep exactly the owner-approved seed addresses in
EMAIL_MARKETING_TEST_RECIPIENTS. - Refresh audience profiles and create a campaign using a narrow preset.
- Lock content, preview and freeze the audience, then create Tencent templates.
- Wait for both locale templates to be approved.
- Enable the database control with the typed test confirmation.
- Release only the canary wave and verify callbacks, delivery, unsubscribe, and suppression behavior.
- Disable the database control after the test.
Moving to real recipients requires a separate owner decision, changing the deployment secret to EMAIL_MARKETING_ALLOW_REAL_RECIPIENTS=true, restarting the workloads, and using the stronger typed confirmation shown by the admin API.
Recovery
- Pause globally first by setting
EmailDeliveryControl.sending_enabled=falsein the admin console. reconcile_email_deliveryrecovers expired leases and never retries a provider request with an ambiguous outcome.- Ambiguous sends become
OutcomeUnknownafter the reconciliation window and require manual review. - Provider/user suppressions cannot be manually deactivated; only
ManualSafetysuppressions can be removed with an audit reason. - Recipient PII is purged after the configured retention period; hashes and aggregate delivery records remain for safety and reporting.