Changelog

Webhooks just got a real security model and a real outbound surface.

• Signing secrets per endpoint. Every new webhook gets a fresh whsec_… secret, shown once at create. Existing endpoints can generate one with a single click in Webhooks → Generate Secret.
• Timestamped signatures. X-Postscale-Signature is now t=<unix>,v1=<hmac> — the timestamp lets receivers reject replays outside a tolerance window (5 minutes is the recommended default).
• Zero-downtime rotation. Rotating a secret keeps the previous one valid for a configurable grace window (default 24 hours, max 7 days). During the window each delivery carries two v1= signatures so receivers can update without dropping events.
• Outbound delivery events. Subscribe an endpoint to email.delivered, email.bounced, email.deferred, email.complained, or email.sent — one webhook can subscribe to any combination including email.received. Events fire from a durable queue inside the API, so customer endpoint slowness can't back up our delivery pipeline.

Verification details, the full event taxonomy, payload shapes, and runnable Node + Python verifiers are in the updated Webhooks guide. Existing webhooks continue working unchanged — their event_types defaults to ["email.received"] and they keep delivering unsigned until you opt in to a secret.

Launched five browser-only email infrastructure tools at postscale.io/tools. All of them run entirely client-side — DNS queries go through Cloudflare's DNS-over-HTTPS, nothing is logged or stored on our servers.

• SPF checker — walks a domain's include/redirect tree and counts DNS lookups against the 10-lookup limit.
• DKIM lookup — inspect the published public key by selector, see key size and status.
• DMARC policy checker — get a 0–5 enforcement maturity score and next-step recommendations.
• DMARC aggregate parser — paste RUA XML and see per-source records, DKIM/SPF alignment, and pass rate.
• Email headers analyzer — paste raw headers and get the routing hop chain plus auth results.

Every tool links back to the relevant API product for users who want automation instead of one-off diagnosis.

Three new vertical landing pages explain how Postscale maps to specific industries:

• For SaaS — transactional, inbound, masked addresses under one API key.
• For e-commerce — order mail plus XRechnung-compliant invoicing for the 2025 mandate.
• For healthtech — EU-hosted, GDPR-ready patient communication.

Each page leads with the pain points we hear most often from that industry and links directly to the matching product pages.

Four new /alternatives/* pages for teams evaluating EU-hosted options:

• Postscale vs SendGrid
• Postscale vs Mailgun
• Postscale vs Postmark
• Postscale vs Resend

Each page covers pricing at 10k/100k/500k sends per month, EU data residency posture, feature parity, and a three-step migration outline. Honest where competitors win on brand maturity; specific where Postscale wins on EU compliance or bundled features.

Postscale's full product catalog now has a dedicated landing page per capability:

• Transactional Email API — send password resets, receipts, notifications.
• Inbound Email API — receive email as HMAC-signed webhooks.
• Masked Email API (Shield) — privacy addresses that forward to real inboxes.
• DMARC Reporting API — parse DMARC aggregate XML reports programmatically.
• XRechnung API — send and receive EN 16931 e-invoices (XRechnung, ZUGFeRD, Factur-X).

All five share the same API key, the same authentication, the same dashboard, and the same flat EUR pricing. See them in the all-products grid.

Two high-value posts now have proper German translations with bidirectional hreflang linking:

• XRechnung API: Entwickler-Leitfaden zum deutschen E-Rechnungs-Mandat
• Der vollständige Leitfaden zur E-Mail-Zustellbarkeit in 2026

The blog pipeline is now content-driven: any .de.mdx (or .fr.mdx, .es.mdx, .it.mdx, .nl.mdx) file automatically generates a localized route with proper hreflang alternates. No routing config changes required to add more translations.

A batch of structural improvements that quietly compound:

• JSON-LD Product + FAQPage + ItemList schema on every product and category page so Google can render rich SERP snippets with price ranges and expandable FAQ cards.
• Sitemap expansion from 50 to 100+ URLs — every language variant of the homepage, pricing, and invoices pages now has its own <url> entry rather than hiding behind hreflang alternates.
• PNG Open Graph images (1200×630) replacing the previous SVG, which Facebook, LinkedIn, Slack, WhatsApp, and iMessage were silently refusing to render.
• Restored diacritics across German, French, Spanish, Italian, and Dutch meta descriptions — native speakers were seeing ASCII-stripped text that hurt click-through.

No visible product changes, but the site's Google footprint doubled overnight.

Postscale has always run on self-hosted Umami analytics (EU-hosted, privacy-preserving, no Google). Now the frontend fires structured events for every meaningful conversion point:

• signup_completed
• plan_selected, payment_completed
• domain_added, api_key_created, email_sent_dashboard
• beta_requested, contact_form_submitted
• pricing_cta_clicked, product_cta_clicked, alternative_cta_clicked

All events stream to analytics.dnscale.eu in real time. No tracking script from Google, Facebook, LinkedIn, or HubSpot touches the page. For teams evaluating Postscale on GDPR grounds, this is the literal implementation of "we don't leak data to US trackers."

Postscale Invoices is in production. One REST API endpoint for:

• Validation — submit an invoice XML, get structured errors against the full EN 16931 schematron.
• Sending — email invoices as attached XML or as hybrid PDF/A with embedded XML (ZUGFeRD).
• Receiving — point an MX at Postscale, get parsed invoice JSON via webhook — line items, totals, VAT, buyer/seller IDs already extracted.

German B2B buyers have been required to receive E-Rechnung since 2025-01-01. Sending phases in through 2028. If your accounting stack still processes PDFs, you'll be fine for inbound today but blocked for sending from 2027.

Full developer guide: XRechnung API: A developer's guide to Germany's e-invoicing mandate (also auf Deutsch).

Postscale is live. Three email primitives under one key, all processed inside the EU:

• Transactional — REST API or SMTP relay. DKIM + DMARC auto-configured. Real-time delivery webhooks.
• Inbound — point an MX record; receive messages as HMAC-signed webhooks with parsed headers, bodies, and attachments.
• Masked addresses (Shield) — generate unique, revocable aliases that forward to your users' real inboxes on your own domain.

Postscale is operated by DNScale OÜ (Estonia, EU). All processing, storage, and delivery happens on EU infrastructure. No CLOUD Act exposure, no Schrems II assessment required for EU controllers. The standard GDPR DPA is signed pre-sales with no lawyer-only meetings.

Free tier: 1,000 sends/month, 50 inbound, 10 masked addresses. Paid plans start at €9/mo. See pricing.