Transactional email control and logging

Severity: Critical

Transactional emails (password resets, order confirmations, etc.) must be fully controlled and logged. You need visibility into every email sent, bounces, and engagement.

Check automatically:

1. Check for transactional email providers:

grep -riE "sendgrid|mailgun|postmark|ses|amazon.*ses|sparkpost|mandrill|resend" package.json .env.example 2>/dev/null

2. Check for email sending code:

grep -riE "sendEmail|sendMail|transporter\.send|sgMail|mailgun\.messages|postmark.*send|ses.*send" --include="*.ts" --include="*.js" src/ lib/ app/ 2>/dev/null | head -10

3. Check for email configuration:

grep -riE "SMTP_|MAIL_|EMAIL_|SENDGRID_|MAILGUN_|POSTMARK_" .env.example 2>/dev/null

Ask user:

• "What transactional email provider do you use?"
• "Can you see all emails sent from your domain in the provider dashboard?"
• "Do you have access to bounce logs?"
• "Do you have open/click tracking enabled?"
• If tracking disabled for some emails: "Which email types have tracking disabled and why?"

Cross-reference with:

• EMAIL-001 through EMAIL-004 (DNS authentication must be configured for the sending domain)

Pass criteria:

• Dedicated transactional email provider identified (SendGrid, Mailgun, Postmark, SES, etc.)
• Dashboard access to view all sent emails
• Bounce tracking enabled and monitored
• Open/click tracking enabled (or documented exceptions for privacy-sensitive emails like password resets, 2FA codes)

Fail criteria:

• No dedicated transactional provider (using raw SMTP with no logging)
• Can't see what emails were sent
• No bounce visibility
• Tracking disabled without documented rationale

Evidence to capture:

• Provider used
• Dashboard URL (for audit access)
• Metrics available (bounces, opens, clicks)
• Documented exceptions for tracking-disabled email types

---