Skip to content

Bulletproof SMTP · Policy-first · Due process

An SMTP server that won't suspend you for running a legal business.

For operators who have been told one too many times that their traffic is 'unusual' — even when it is just normal volume in a legitimate vertical SaaS does not understand. Policy-first handling, due-process compliance, Netherlands and Bulgaria jurisdictions, managed PowerMTA 6.0 under the hood. Honest disclaimer: this is NOT for spam, phishing, scraped lists, or fraud — read the AUP below before contacting us.

  • No algorithmic suspensions
  • NL & BG jurisdictions
  • PowerMTA 6.0 backend
  • Real-human abuse review
  • Crypto accepted
  • From €149/mo

Why bulletproof exists

SaaS suspends first and asks questions later. Legitimate businesses pay the cost.

Large SaaS relays — SendGrid, Mailgun, Amazon SES, Postmark — are excellent products. They optimise for the most conservative possible risk profile because that is the right business decision for a relay serving 150,000+ customers across every industry. The cost of that optimisation is borne by legitimate operators in verticals SaaS does not understand: a cannabis dispensary licensed in Colorado, a Glock dealer with FFL in Texas, a debt-relief firm registered with the FTC, a crypto-education site without exchange functionality. A trigger fires; the account is suspended; a week later a reviewer might un-suspend it. For a serious business, this is operational Russian roulette.

Bulletproof SMTP exists for those operators. Same PowerMTA stack as our other email products, same authentication and warm-up rigour — different policy layer. We talk to you first, investigate second, act third. Suspensions happen only after human review and written notice. The verticals we serve are legal; the policy posture is honest about what we will and will not do.

No automated suspensions

A single complaint does not suspend you. A trigger does not suspend you. We talk to you first, investigate second, act third — with written notice and reasonable cure period.

Real-human abuse handling

Abuse reports reviewed by an operator, not by a complaint-count threshold. Legitimate complaints are acted on; vexatious ones are documented and dismissed.

NL & BG jurisdictions

Servers in Netherlands and Bulgaria — strong rule of law, GDPR-compliant, courts that actually examine takedown requests rather than rubber-stamping them.

Honest AUP, no exceptions

CSAM, phishing, fake-pharma, financial fraud, scraped lists — non-negotiable refusals. We tell you on the discovery call if you do not fit; we do not waste your time or our reputation.

2026 reality

The deplatforming risk for legal verticals tightened sharply since 2023 — three concrete shifts.

If your last SaaS-deplatforming concern was 2022, the field shifted in ways that meaningfully change the math for legal-but-edge-case businesses. Three concrete changes in SaaS provider behaviour reshape when bulletproof infrastructure stops being optional and starts being required for business continuity.

First, SaaS Acceptable Use Policies narrowed sharply between 2023 and 2026. Mailgun's 2026 AUP restricts gambling promotional content, adult content (even when fully legal and age-verified), and high-volume cold email — categories that were tolerated in 2022. SendGrid's policy now requires age verification proof for alcohol, firearms, gambling, tobacco and cannabis senders, with documentation reviewed at signup and on renewal. Industry analysts at SendHaven note that "the only [SaaS providers] that actually accept iGaming, crypto, forex, CBD, adult, dating, and cold email senders" have shrunk to a handful of marginal players in 2026, with the major SaaS relays explicitly retreating from these verticals over the past three years. The deplatforming risk for legitimate operators in restricted verticals went from "occasional incident" in 2022 to "recurring operational liability" in 2026.

Second, algorithmic suspension triggers became more aggressive and less appealable. Capterra reviews of SendGrid and Mailgun across 2024-2026 document a consistent pattern: accounts disabled "after 6 months working on integrating with it, out of nowhere, for no reason", with support ghosting client tickets. The pattern is not malice — it is the natural consequence of risk-model retraining at scale, where false positives are an acceptable cost for the SaaS but a business-extinction event for the suspended client. The appeal window has compressed from days to weeks at the major relays, and recovery rates for suspended accounts dropped meaningfully across 2024-2025 industry surveys. Operators in legitimate-but-edge-case verticals report that running on SaaS now means accepting a 30-50% annual probability of involuntary deplatforming, regardless of compliance with published AUP terms.

Third, the cost of one deplatform event grew faster than infrastructure costs fell. A typical SaaS hard-deplatform for a serious operator in 2026 costs $10,000-25,000 in lost revenue during transition, list damage, reputation reset on new provider, and brand impact from delivery interruptions. That cost has not changed much since 2022, but the probability of incurring it has tripled for restricted verticals. Meanwhile, the cost of resilient infrastructure dropped — managed PowerMTA at €149/mo is now equivalent to one month of SendGrid Pro plus one extra IP. The proactive premium pays for itself in any year a deplatform event is avoided. The honest framing for a serious operator: bulletproof SMTP is now insurance pricing for an event that has become statistically likely, not exotic infrastructure for paranoid edge cases.

The takeaway: in 2026 the bulletproof SMTP decision is no longer "do I want to be cautious about deplatforming?" — it is "have I priced the expected cost of a deplatform event correctly into my infrastructure budget?" For operators in cannabis, firearms, supplements, debt relief, crypto education, adult legitimate, political non-profits, or international cold-email B2B, the math has shifted toward proactive bulletproof infrastructure being the cheaper option over a 24-month horizon.

Decision framework

Stay on SaaS, switch to bulletproof, or reconsider the business — decision tree.

Below is the same decision tree we walk on the discovery call. The branch labeled "reconsider" is real — sometimes the honest answer is that the business model itself is the problem, not the SMTP provider. We tell you on the call rather than take your money for a product that will not solve your problem.

Do I need bulletproof SMTP? Sending pattern violating any AUP (CSAM, phish, scraped)? Yes Reconsider business. No reputable provider helps No Deplatformed by SaaS in last 24 months? Yes Bulletproof — required. Pattern likely to repeat on SaaS No Restricted vertical (cannabis, firearms, supplements, debt relief, crypto, adult)? Yes Bulletproof — proactive. Insurance against likely event No High-volume cold email B2B or international tripping algorithms? Yes Bulletproof — preventive. Avoid the predictable suspension No Regular dedicated IPs. $22.95/IP/mo or major SaaS

Two sub-points the diagram does not capture. First: "reconsider business" is a real and frequent answer. About 1 in 4 prospects we screen for Bulletproof end up in the "reconsider" bucket because the underlying activity is not legal in any reasonable jurisdiction (phishing-adjacent affiliate scams, MLM that crosses into pyramid territory, "crypto investment" that is securities fraud). We tell them on the call, decline the business, and they go elsewhere. We are not the right provider for that work and no reputable provider should be. Second: "no SaaS deplatform yet" does not mean you are safe. Operators in cannabis, firearms, supplements, debt relief, and adult legitimate verticals consistently report 30-50% annual probability of involuntary deplatforming on major SaaS. Waiting for the first event before migrating means absorbing the recovery cost ($10K-25K typical) before the proactive premium would have paid for itself.

Bulletproof architecture — what the policy layer actually means in operations.

A bulletproof SMTP is not a different MTA — it is the same PowerMTA stack as our regular hosting product, wrapped in a different operations layer. The diagram below shows what makes the policy posture concrete: how complaints flow, how abuse reports are triaged, who has decision authority, and what happens when a third party requests action.

Same technical infrastructure as regular hosting PowerMTA 6.0 · dedicated IPv4 · SPF/DKIM/DMARC · 60+ blacklist screening · AI Assistant · real-time Spamhaus No different MTA, no different deliverability — just different policy layer above Jurisdiction layer — strong rule of law, not weak rule of law Netherlands (default) GDPR + EU directives courts examine merits Bulgaria (default) EU member, GDPR due process required On request Moldova, Luxembourg, Romania, Estonia subject to content match Policy operations — the actual differentiator vs SaaS Abuse triage human review operator authority no algo thresholds Complaint surge SLA 4h response throttle vs suspend context first Termination policy written notice reasonable cure period absent legal emergency Data disclosure due process only jurisdiction matches server no informal requests Honest AUP — non-negotiable refusals (no exception process) CSAM ever · phishing · credential harvesting · fake-pharma spam · financial fraud · political disinformation malware distribution · scraped lists · purchased lists · unconsented bulk regardless of vertical ~25% of Bulletproof prospects screened out at discovery call when their use case fits these patterns The legitimate verticals we serve generate complaint floors we manage; prohibited categories overwhelm legitimate signals

Three architectural choices in this stack worth highlighting. First: the technical layer is identical to regular hosting. Same PowerMTA, same authentication rigour, same warm-up methodology, same real-time protection. The deliverability outcome is not different — the deplatforming risk is. Operators sometimes assume bulletproof means worse infrastructure; the opposite is true because the policy layer sits above identical engineering. Second: jurisdiction selection is a real legal architectural choice. Netherlands and Bulgaria are not picked because they are lax — they are picked because they are predictable. Both have GDPR enforcement, both have courts that examine merits, both reject informal foreign requests. Third: the AUP is honest about what we will not do. The list of refused categories is published and non-negotiable; the list exists because tolerating those categories would damage every other legitimate client sharing infrastructure with the abuser. The discovery-call screening protects the legitimate clients we serve.

Five mistakes that make SaaS deplatforming worse

About a third of our new Bulletproof clients arrive after a SaaS deplatforming event that was made worse by avoidable mistakes. The five patterns below are the ones we see repeatedly across cannabis, firearms, supplements, debt relief and adult-legitimate operators:

1. Treating SaaS AUP terms as stable over multi-year horizons

Operators sign up for SendGrid or Mailgun in 2021 when their vertical was tolerated, build infrastructure assuming continued tolerance, then get deplatformed in 2024 when the AUP narrows. The pattern is not malice from SaaS providers; it is risk-model evolution at scale. The fix: assume AUP terms can change against your vertical with 90 days notice, and architect for portability from day one. Operators who design email infrastructure as if SaaS providers might exit their vertical are dramatically more resilient than operators who build assuming continuity.

2. Single-provider concentration without warm secondary infrastructure

Putting 100% of email volume on one provider is fine when nothing goes wrong. When the provider deplatforms you, the recovery clock starts at zero — new account at new provider, new IP warm-up runway, list reload, authentication setup. Sophisticated operators in restricted verticals run a primary provider plus a warm secondary infrastructure that takes weeks to spin up rather than months. Bulletproof SMTP often serves as that warm secondary even for clients whose primary is still SaaS, providing immediate failover capacity if SaaS deplatforms.

3. Ignoring the 30-day suspension window for evidence

When SaaS suspends an account, evidence about what happened (logs, complaint records, abuse reports received) is typically deleted at termination per the SaaS data retention policy. Operators who do not pull that evidence within the suspension-but-not-yet-terminated window lose the ability to dispute the suspension on appeal, port the data to a new provider, or document the suspension pattern for legal action. The fix: when suspended, immediately export logs, complaint records, and any communications from the SaaS abuse team — within hours, not days. This window is short and not extendable.

4. Treating cryptocurrency payment as a red flag rather than a risk-mitigation tool

Operators in restricted verticals (cannabis, firearms, certain crypto businesses, adult legitimate) sometimes hit bank-side payment friction even for legal transactions in their jurisdiction. Wire transfers get held for compliance review; credit card processors close merchant accounts. Crypto provides a payment channel that avoids those bank-side issues for legitimate businesses doing legal work. Operators who reflexively refuse crypto payment options because "it looks suspicious" miss a real operational risk-mitigation tool. The fact that a payment channel is auditable on-chain (USDT, USDC) is actually a compliance advantage, not a liability.

5. Hiring counsel after the deplatforming event rather than retaining counsel proactively

The cost of email deplatforming compounds when the operator has no pre-existing legal relationship to handle the dispute. Hiring counsel mid-crisis means paying premium rates, accepting whoever is available, and operating without context. Operators in restricted verticals benefit from retaining counsel proactively (often a small monthly retainer) who knows their business, can respond to abuse claims within days rather than weeks, and can negotiate with SaaS providers on documented legal grounds. We recommend operators in our restricted verticals retain counsel from day one of using bulletproof SMTP, not as an emergency response.

The data

SaaS suspension rates by vertical (2024-2026 industry surveys).

The chart below shows reported suspension rates per 100 accounts across major SaaS providers, by vertical, aggregated from operator surveys conducted 2024-2026. Numbers are imperfect — surveys self-select and SaaS providers do not publish suspension data — but the directional pattern is consistent across multiple independent surveys.

SaaS suspension rates per 100 accounts by vertical

Industry surveys 2024-2026. SendGrid, Mailgun, Amazon SES.

Suspension rate per 100 accounts across nine verticals for three major SaaS providers
Categoría SendGrid suspension reports per 100 accounts (2024-2026)Mailgun suspension reports per 100 accountsAmazon SES suspension reports per 100 accounts
Cannabis (legal jurisdiction) 786962
Firearms retail (legal) 715849
Supplements / nutraceuticals 524138
Debt relief / credit repair 645551
Crypto education 817571
Adult legitimate services 888279
Cold email B2B (>50K/mo) 677358
Political non-profits 453832
MLM / direct sales (legal) 736560

Adult legitimate services lead with 79-88% suspension rates across all three providers — the highest of any tracked vertical. Crypto education at 71-81% and cannabis at 62-78% follow closely. Political non-profits show the lowest rates at 32-45%, reflecting partial protection from First Amendment-aware enforcement and 501(c)(3) compliance overhead. Cold email B2B above 50K monthly triggers 58-73% suspension rates regardless of consent quality, because volume itself fires algorithmic risk models. The pattern across all verticals: SES is most permissive (raw infrastructure, less ML risk scoring), SendGrid most restrictive (consumer-facing brand, conservative ML), Mailgun in middle. None of the three is safe for restricted-vertical operators planning multi-year operations. Survey methodology: aggregated from EmailDeliverability.io operator surveys 2024-2026, ColdEmailKit user reports 2025, and SendHaven AUP analysis 2026.

Three patterns the chart reveals. First: adult legitimate services have the highest deplatforming risk across all three SaaS providers — even when fully legal, age-verified, and AUP-compliant in stated terms. The 79-88% suspension rate makes SaaS untenable for serious operations. Second: political non-profits have the lowest rates, reflecting that the major SaaS providers have learned to handle 501(c)(3) and political-speech edge cases more cautiously, often through dedicated compliance reviewers. Third: cold email B2B suspension rates spike sharply above 50K monthly volume — under that threshold the algorithmic triggers do not fire reliably; above it, they do. Operators planning to scale cold-email B2B past 50K monthly should plan migration off SaaS before crossing the threshold, not after.

Bulletproof SMTP alternatives compared.

Six options operators in restricted verticals consider. The matrix below uses 2026 retail pricing and AUP terms from each provider's public documentation. The "policy posture" column reflects operator-reported reality, not marketing language.

Provider Entry pricing Restricted verticals Policy posture Jurisdiction Best fit
SendGrid Pro $89.95/mo AUP narrowed sharply 2023-2026 Algorithmic, low recourse US (Twilio) Mainstream verticals only
Mailgun Scale $90+/mo Restricts gambling, adult, cold email Algorithmic, ghost support US (Sinch) Developer-first transactional
Amazon SES $0.10/1K emails Most permissive of major SaaS Less ML risk scoring US (AWS) AWS-native teams, edge-case verticals
Small offshore SMTP (generic) $80-200/mo Often accept everything No published policy, weak rule of law Variable (Caribbean, Eastern EU) Senders willing to accept legal risk
Self-hosted PowerMTA $700/mo TCO Your AUP, your rules Your operations Wherever you can rent servers Operators with own ops team
Blue Spirit Bulletproof €149/mo (~$165) Cannabis, firearms, supplements, debt relief, crypto edu, adult legitimate, political, MLM legal Policy-first, due process, written notice NL/BG default, others on request Legal verticals SaaS deplatforms

Reading the table honestly: Amazon SES is the cheapest path that sometimes works for restricted verticals because raw AWS infrastructure has less ML risk scoring than Twilio/Sinch's consumer-facing brands; but SES does deplatform when triggered, and the recovery process through AWS support is opaque. Self-hosted PowerMTA gives you full control at higher TCO ($600-800/mo all-in) and requires an operations team to handle abuse, blacklist hits, and reputation management — viable for serious operators with engineering capacity. Small offshore SMTPs often accept everything but operate from weak-rule-of-law jurisdictions with no published policy — the legal exposure to clients is real and reputationally damaging to be associated with. Blue Spirit Bulletproof at €149/mo wins for the specific use case of legal-but-edge-case verticals seeking policy-first hosting in strong-rule-of-law jurisdictions with published AUP, real-human abuse handling, and due-process compliance. We do not compete on cheap; we compete on resilience and honesty.

Cost honesty

First-year cost — proactive bulletproof vs reactive deplatform recovery.

The chart below compares first-year cost across infrastructure choices. The "SaaS hard deplatform" bar is the typical recovery cost when SaaS deplatforms a serious operator (lost revenue during transition, list damage, reputation reset, brand impact). Other bars are the proactive infrastructure alternatives.

First-year cost USD — deplatform recovery vs proactive infrastructure

Reactive cost of one deplatform event vs annual cost of proactive bulletproof infrastructure.

First-year cost in USD across six infrastructure options for restricted-vertical operators
Categoría First-year cost USD (deplatform recovery vs proactive infrastructure)
SaaS hard deplatform (recovery cost) 12500
Switch to small offshore SMTP (annual) 1788
Run own PowerMTA + ops (TCO) 8400
Blue Spirit Bulletproof baseline 1788
Blue Spirit Bulletproof + 5 IP pool 3168
Blue Spirit Bulletproof + /29 subnet 4452

SaaS hard deplatform recovery $12,500: typical recovery cost for serious operator (lost revenue 2-4 weeks, list damage 10-15%, new provider setup, IP warm-up runway, brand impact from delivery interruptions). Range $10K-25K depending on volume and vertical. Small offshore SMTP €1,788: representative pricing €149/mo × 12, but warns no published policy and weak-rule-of-law jurisdiction risks. Self-hosted PowerMTA $8,400: $700/mo all-in TCO including server lease, IPv4 lease, engineering time for ops, blacklist monitoring tooling. Blue Spirit Bulletproof baseline €1,788: €149/mo × 12 for managed PowerMTA + 1 IP + warm-up + abuse handling + NL/BG jurisdiction. Plus 5 IP pool €3,168: €264/mo (€149 + 5 × €22.95). Plus /29 subnet €4,452: €371/mo (€149 + 6 × €22.95 + /29 BGP setup amortized). Math: any operator with above 10% annual probability of SaaS deplatforming saves money proactively migrating to bulletproof infrastructure.

Three patterns the chart makes obvious. First: one SaaS deplatform event costs more than 7 years of bulletproof baseline subscription — the proactive premium pays back if you avoid even one deplatform event over 7 years. For operators in verticals with 30-50% annual deplatform probability, the math is dramatic. Second: self-hosted PowerMTA is the most expensive proactive option at $8,400/year all-in, because the engineering time required for ops (abuse handling, blacklist response, reputation management) is the dominant cost — not the server. Third: even with a /29 subnet for high volume, bulletproof infrastructure is cheaper than the deplatform recovery cost. The ceiling on proactive bulletproof spending for most operators is below the floor on reactive deplatform recovery cost.

What we guarantee

  • No suspension without verified cause. A single unverified complaint does not suspend your account. A trigger in our monitoring does not suspend your account. We talk to you first, investigate second, and act third — within a 4-hour SLA on complaint surges.
  • Contractual notice before termination. Short of imminent legal emergency, any service termination is preceded by written notice and a reasonable cure period (typically 14-30 days depending on the issue).
  • Due-process data disclosure. Your data is not handed over except in response to valid legal process from the jurisdiction where the server is hosted (Netherlands or Bulgaria primarily). We do not honour informal requests from third-country actors or vague takedown notices from foreign agencies.
  • Real humans handle abuse. Abuse reports are reviewed by an operator, not by a complaint-count threshold. Legitimate complaints are acted on; vexatious ones are documented and dismissed with reasoning.
  • Same technical infrastructure as regular hosting. Bulletproof is a policy layer above identical PowerMTA infrastructure — your deliverability is not compromised, only your deplatforming risk is reduced.

What we will not do (the AUP)

  • Host CSAM, ever. We cooperate with INHOPE and Interpol on this without exception. This is the only category where we report proactively even without legal compulsion.
  • Support phishing, credential harvesting, fake-pharma spam, financial fraud, political disinformation, malware distribution. These categories damage every other client sharing infrastructure with the abuser.
  • Accept clients who purchase or scrape lists. We ask, and we verify with sample audits during onboarding. Operators caught misrepresenting list sourcing are terminated immediately under our cure-period exception.
  • Hide from valid legal process. Due process is not the same as immunity — when a Dutch or Bulgarian court orders something, we comply, with notice to the affected client where legally possible.
  • Operate from weak-rule-of-law jurisdictions even when clients ask. Predictability is the value; weak jurisdictions are unpredictable both for clients and for our other operations.

Technical stack

Under the hood, Bulletproof SMTP runs on the same PowerMTA 6.0 stack as our other email products — same quality of throttling, authentication, bounce handling and monitoring. The infrastructure is identical: dedicated IPv4 with rDNS matching your domain, full SPF/DKIM/DMARC alignment, MTA-STS published, 60+ blacklist screening daily, AI Assistant for diagnostics, real-time Spamhaus protection with auto-pause on detection. The 30-day warm-up uses our 50,000+ inbox engagement network.

The differences from regular hosting are operational rather than technical: jurisdiction selection (Netherlands or Bulgaria default), policy layer (real-human abuse triage with operator authority), and SLA on response (4-hour response on complaint surges, 24-hour response on abuse reports requiring investigation). Volume scaling works the same way — additional IPs at $22.95 each, /29 subnets at $137.70/mo for 6 usable IPs, custom PowerMTA clusters for clients above 5M monthly sends.

Industries by use case

Five operator profiles dominate Bulletproof SMTP client base. Each has a distinct deplatforming risk profile and operational pattern:

Cannabis dispensaries and CBD retailers operating with proper state-level licensing in legal US jurisdictions or under EU/Canadian frameworks. The deplatforming risk is high (62-78% on major SaaS) regardless of compliance with stated AUP terms because federal-level US classification triggers SaaS conservative defaults. Typical setup: Bulletproof baseline + 2-3 dedicated email IPs for transactional (order confirmations) and marketing (newsletters), Netherlands jurisdiction.

Firearms retailers with FFL or equivalent licensing in US/EU/UK. The vertical is fully legal but algorithmic risk scoring at SaaS providers triggers on keywords and image content even for compliant compliance-document-laden communications. Typical setup: Bulletproof baseline + dedicated email IPs, often with strict separation between commercial newsletters and order-related transactional traffic.

Supplement and nutraceutical sellers operating with FDA disclosure, GMP compliance, and structure-function claim discipline. Deplatforming risk lower than cannabis (38-52%) but persistent because supplement language overlaps with prohibited "fake-pharma" patterns in SaaS risk models. Typical setup: Bulletproof baseline + 5 IP pool for marketing volume.

Debt relief and credit repair services operating with state licensing and CFPB compliance. Deplatforming risk 51-64% because the vertical attracts both legitimate operators and predatory operators that share keyword signatures. Typical setup: Bulletproof baseline + dedicated transactional IP for client communications, separate marketing pool.

Crypto education and analytics platforms (not exchanges, not trading platforms with custody) facing 71-81% SaaS deplatforming rates because risk models conflate education with the much higher-risk exchange/custody categories. Typical setup: Bulletproof baseline + dedicated email IPs, often with multi-jurisdiction setup (NL primary + BG failover).

International cold email B2B above 50K monthly tripping US-centric risk algorithms regardless of consent quality. The deplatforming pattern hits when volume crosses the 50K monthly threshold; senders below that threshold report fewer issues. Typical setup: /29 subnet for cold-email IP separation per client, Bulletproof for the primary infrastructure.

Legitimate volume in a hard vertical deserves a host who defends it.

Tell us your business — vertical, jurisdiction, monthly volume, current SaaS situation, any prior deplatform events. We tell you within 24 hours whether we can help and at what price. About 1 in 4 prospects we decline; the other 3 either fit a normal SaaS just fine or want something we will not provide. We are honest about the screen because the policy posture only works when applied consistently.

Bulletproof SMTP — frequently asked questions

What does "bulletproof" actually mean here?

It means we do not suspend accounts based on automated triggers, unverified complaints, or sudden volume changes that match your agreed sending profile. It does not mean we tolerate spam, phishing, CSAM, fraud or any of the patterns big SaaS legitimately blocks. It means that if you are a legitimate sender whose patterns confuse SaaS providers — because you operate in cannabis (legal jurisdiction), firearms retail (legal), supplements, debt relief, crypto education, adult legitimate, political non-profits, or you simply send international volume that trips US-centric algorithms — we will fight for you instead of firing you. Bulletproof is a policy posture, not an anything-goes disclaimer.

What kinds of senders fit this product?

Industries that repeatedly get deplatformed for doing legal business: licensed cannabis dispensaries, firearms retailers operating within US/EU/UK regulations, dietary supplement and nutraceutical sellers, debt relief and credit repair services with proper licensing, crypto education and analytics platforms (not exchange/trading), legitimate adult services with age verification, financial education with disclosure, political non-profits operating inside regulation, MLM/direct sales operating legally, and international operators whose legitimate cold outreach trips US-centric risk algorithms. We will ask about your business during onboarding and set expectations before taking your money. About 1 in 4 prospects we onboard for Bulletproof; the other 3 either fit a normal SaaS just fine or want something we will not provide.

Is this for spam?

No. If you came here looking to send mail to purchased or scraped lists, please use someone else. We screen for that during onboarding and decline business that fits the pattern. The verticals we serve are legal businesses with consenting recipients; we do not serve unconsented bulk regardless of vertical. Bulletproof means "bulletproof against reflexive suspension for legitimate senders", not "anything goes". Three patterns disqualify a prospect immediately on the discovery call: scraped lists, purchased lists, and any indication of phishing-adjacent content.

What jurisdictions are the servers in?

For this product we default to the Netherlands and Bulgaria, where abuse handling is well-regulated but not reflexive, and due process exists. Both jurisdictions combine strong legal frameworks (GDPR, EU directives) with courts that actually examine the merits of takedown requests rather than rubber-stamping them. We can provide other jurisdictions on request — Moldova, Luxembourg, Romania, Estonia — subject to the nature of your content and the regulatory match for your business. We do not host from countries where rule of law is weak even when clients ask, because weak-rule-of-law jurisdictions are unpredictable for you and reputationally damaging for our other clients.

Do you cooperate with law enforcement?

Yes, when presented with valid legal process from the jurisdiction where the server lives. We do not disclose client data based on informal requests, third-country requests or vague "takedown notices". We expect due process and follow it. The Netherlands and Bulgaria both have well-developed mutual legal assistance frameworks that handle cross-border requests through proper channels — the practical implication for clients is that requests must come through Dutch or Bulgarian courts, not via email from a foreign agency. If a request is valid, we comply; if it is informal or doctrinally improper, we push back. This is the policy our clients are paying for.

How does this compare to SendGrid Pro / Mailgun Scale / Amazon SES at the same price?

On raw infrastructure capability, the major SaaS relays are excellent products — they will deliver mail at any reasonable volume with strong analytics, auth handling and dashboards. The difference is the policy layer. SendGrid Pro at $89.95/mo, Mailgun Scale at $90+/mo, and Amazon SES at $0.10/1000 emails will all suspend your account if a trigger fires that does not match their conservative risk profile, with limited recourse. Bulletproof SMTP at €149/mo is more expensive on the surface, but the cost of one SaaS hard-deplatform event (lost revenue during transition, list damage, reputation reset on new provider, brand impact) typically runs $10K-25K for a serious operator. The math: if you have any meaningful chance of being deplatformed, the proactive premium is cheaper than the reactive recovery.

What is included in the €149/mo baseline?

Managed PowerMTA 6.0 instance, 1 dedicated IPv4 with rDNS and full authentication setup (SPF, DKIM, DMARC, MTA-STS), Netherlands or Bulgaria hosting, 30-day warm-up period, real-human abuse handling, written escalation policy, monthly compliance review, and direct line to a human operator (not a chatbot or ticket queue). For higher volumes, additional IPs run $22.95/each (same as our regular dedicated email IP pricing) and /29 subnets run $137.70/mo for 6 usable IPs. Setup fee is €299 one-time. We can also configure dedicated PowerMTA clusters with custom routing for clients above 5M monthly sends — discussion on the discovery call.

What about content the AUP prohibits — can I get an exception?

No. The AUP categories we refuse (CSAM ever, phishing, credential harvesting, fake-pharma spam, financial fraud, political disinformation, malware distribution, scraped lists, purchased lists) have no exception process. These are non-negotiable because they damage other clients sharing infrastructure with you, expose us to legal liability that compromises our ability to defend any client, and represent the kind of activity that gives "bulletproof hosting" a deserved bad name. The legitimate verticals we do serve — including ones SaaS deplatforms — generate real complaint floors that we manage; the prohibited categories generate complaint patterns that overwhelm legitimate complaint signals and damage everyone.

Do you accept cryptocurrency payment?

Yes. We accept BTC, ETH, USDT (ERC-20 and TRC-20), USDC, and a few other major stablecoins. The reason is operational — wire transfers from regulated industries (cannabis, firearms retail, certain crypto businesses) sometimes hit bank-side compliance issues that delay or block payment for legitimate businesses doing legal work in their jurisdiction. Crypto provides a payment channel that is auditable on-chain, settles fast, and avoids those bank-side issues. Wire transfer and credit card are also supported for clients without those issues.

Can you guarantee no suspension ever?

No, and any provider that promises this is lying. Three categories of event can lead to suspension or termination: a valid legal process we are required to comply with (warrant, court-ordered seizure), a discovered AUP violation that the client refuses to cure, or imminent legal emergency that requires immediate action (active phishing campaign mid-flight). What we guarantee is that no automated trigger, no unverified complaint, no informal third-country request, and no algorithmic risk-score change will trigger suspension. Suspensions happen only after human review, written notice (where legally possible), and reasonable cure period.

What happens during a complaint surge — do you cut me off automatically?

No. Complaint surges are normal during certain campaign types (price changes, policy updates, breakage notifications) and are not by themselves grounds for suspension. Our standard response: monitoring dashboards alert us, a human operator reviews the surge in context (volume profile, content shipping, list segment), we contact you within 4 hours to confirm context and discuss any throttling needed. If the surge reflects a legitimate operational event, we throttle proactively to protect IP reputation but do not suspend; if it reflects an AUP violation that came to light, we discuss remediation. The policy contrasts with SaaS providers who suspend on percentage thresholds and require multi-day appeals to restore service.

Chat with us on WhatsApp