← Back to MailParse

Notification Routing Guide for Backend Developers | MailParse

Notification Routing implementation guide for Backend Developers. Step-by-step with MailParse.

Introduction

Notification routing turns raw emails into actionable events for your product and your team. Backend developers can pull rich signals from inbound messages, route them to Slack or Teams, file tickets, or trigger workflows - all from structured email data. With MailParse, you get instant addresses, a full MIME-to-JSON parse, and delivery by webhook or REST, which fits neatly into server-side pipelines.

This guide digs into notification-routing from a backend perspective. It covers architecture, code patterns, rule evaluation, destination integrations, and production-grade concerns like idempotency, rate limits, retries, and observability. The focus is on practical steps and code that you can take to production quickly.

The Backend Developers Perspective on Notification Routing

Notification-routing looks simple at first - read an email, choose a channel, post a message. In production, the details matter. Common challenges include:

  • Heterogeneous content: HTML bodies, inline images, multipart alternatives, and stitched threads mean you need a robust parse and consistent JSON fields.
  • Rule complexity: Routing is not just subject contains text. It often includes header inspection, attachment presence, authentication results, and tenant-specific policies.
  • Idempotency: Retries and duplicate inbound events happen. You need message fingerprints and dedupe logic to avoid noisy repeats.
  • Multi-tenant isolation: One inbound domain or catchall often serves multiple customer accounts. You need a mapping strategy and strict boundaries.
  • Security: Validate signatures, enforce allowlists, and drop spoofed or unauthenticated messages. Secrets management and encryption should be standard.
  • Rate limits and backpressure: Slack, Teams, and ticketing systems impose limits. Your dispatcher must queue, batch, and retry safely.
  • Observability: Track routing latency, failure rates, dead letters, and destination response codes for operational confidence.

Solution Architecture for Notification Routing

A robust design separates concerns into parsing, rules, dispatch, and observability. A typical backend-friendly flow looks like this:

  • Inbound email is received at a dedicated address, then parsed into JSON with normalized fields for headers, bodies, and attachments.
  • Webhook delivery posts the JSON to your API, or your worker polls REST for new items on a schedule.
  • Rule evaluation runs synchronously or enqueues a job, matching on fields like from, subject, headers, and auth results.
  • Dispatchers send enriched messages to Slack, Teams, PagerDuty, or your internal webhooks, handling retries and rate limits.
  • DLQ and replay catch failures, store minimal payloads, and allow replays when destinations recover.
  • Metrics and logs capture end-to-end timing, routing decisions, and destination responses.

MailParse emits normalized JSON via webhook or supports REST polling, which keeps your application in control of backpressure and failure handling without custom MIME parsing.

Core entities to model

  • InboundAddress - a tenant-scoped address or alias mapping to a destination context.
  • Message - the parsed email with IDs, bodies, headers, and attachments.
  • Rule - declarative conditions that select a destination or workflow.
  • Dispatch - an attempt to deliver a notification, with status and retry counters.
  • DeadLetter - failed dispatch with reason, retry-after, and minimal payload.

Implementation Guide

1) Receive parsed email JSON

Implement a fast, authenticated webhook endpoint. Validate signatures and parse the JSON into your message model. If you prefer pull, schedule a worker to poll the REST feed and enqueue jobs.

{
  "id": "evt_01HX...",
  "timestamp": 1713456789,
  "from": {"name": "Ops Bot", "address": "ops@example.com"},
  "to": [{"address": "alerts@yourapp.io"}],
  "subject": "Build failed on main",
  "text": "Pipeline X failed...",
  "html": "<p>Pipeline X failed...</p>",
  "headers": {
    "message-id": "<abc-123@example.com>",
    "x-github-event": "workflow_run",
    "authentication-results": "spf=pass dkim=pass dmarc=pass"
  },
  "attachments": [
    {
      "filename": "log.txt",
      "contentType": "text/plain",
      "size": 10240,
      "sha256": "f1c9645dbc14efddc7d8a322685f26eb",
      "url": "https://files.service/att/..."
    }
  ]
}

2) Verify webhooks securely

  • Require TLS and an HMAC signature header, for example X-Webhook-Signature = HMAC-SHA256 over the raw body and a shared secret.
  • Check a timestamp header and a narrow time window to prevent replay.
  • Enforce an IP allowlist if feasible.
  • Store secrets in Vault or AWS Secrets Manager, never in source code.
import crypto from "node:crypto";
import express from "express";

const app = express();
app.use(express.raw({ type: "application/json" })); // raw body for HMAC

const secret = process.env.WEBHOOK_SECRET;

app.post("/webhooks/email", (req, res) => {
  const sig = req.header("X-Webhook-Signature") || "";
  const mac = crypto.createHmac("sha256", secret).update(req.body).digest("hex");
  if (!crypto.timingSafeEqual(Buffer.from(sig, "hex"), Buffer.from(mac, "hex"))) {
    return res.status(401).send("invalid signature");
  }
  const payload = JSON.parse(req.body.toString("utf8"));
  // enqueue for async rule evaluation
  res.status(202).send("accepted");
});

3) Build a rule engine

Keep rules declarative to support non-code updates. Store them in Postgres and evaluate in workers. Example rule schema:

CREATE TABLE notification_rules (
  id BIGSERIAL PRIMARY KEY,
  tenant_id BIGINT NOT NULL,
  name TEXT NOT NULL,
  predicate JSONB NOT NULL,  -- e.g. {"header":{"x-github-event":"workflow_run"}}
  destination JSONB NOT NULL, -- e.g. {"type":"slack","webhookUrl":"..."}
  priority INT NOT NULL DEFAULT 100,
  enabled BOOLEAN NOT NULL DEFAULT true
);

Common predicates to support:

  • Header equals or contains - for example x-github-event or list-id.
  • Subject regex - stable patterns to route builds or support cases.
  • From domain allowlist - accept only trusted senders.
  • Attachment presence and type - route exceptions with .log or .json attachments.
  • Authentication results - only route if SPF and DKIM pass.

4) Idempotency and dedupe

Use headers["message-id"], payload id, or a hash of canonical fields to create an idempotency key. Store processed keys for a TTL window to ignore duplicates and to make retries safe.

func idempotencyKey(msg Message) string {
  mid := strings.TrimSpace(msg.Headers["message-id"])
  if mid != "" {
    return "msgid:" + mid
  }
  h := sha256.New()
  io.WriteString(h, msg.Subject)
  io.WriteString(h, msg.From.Address)
  io.WriteString(h, msg.Text)
  return fmt.Sprintf("hash:%x", h.Sum(nil))
}

5) Dispatch to Slack

Format a concise summary with context, include a link to logs or attachments, and respect rate limits. Batch or jitter retries when 429 returns.

import fetch from "node-fetch";

async function postToSlack(webhookUrl, msg) {
  const blocks = [
    { type: "section", text: { type: "mrkdwn", text: `*${msg.subject}*` } },
    { type: "context", elements: [{ type: "mrkdwn", text: `From: ${msg.from.address}` }] },
    { type: "section", text: { type: "mrkdwn", text: truncate(msg.text, 500) } }
  ];
  const res = await fetch(webhookUrl, {
    method: "POST",
    headers: { "content-type": "application/json" },
    body: JSON.stringify({ blocks })
  });
  if (res.status === 429) {
    const retryAfter = parseInt(res.headers.get("retry-after") || "1", 10);
    throw new RetryableError(`rate limited`, { retryAfter });
  }
  if (!res.ok) throw new Error(`slack ${res.status}`);
}

6) Dispatch to Microsoft Teams

Teams uses incoming webhook cards. Keep the message short and link to details in your app.

import requests

def post_to_teams(webhook_url, msg):
    card = {
        "@type": "MessageCard",
        "@context": "http://schema.org/extensions",
        "summary": msg["subject"],
        "themeColor": "0078D7",
        "title": msg["subject"],
        "sections": [{
            "facts": [
                {"name": "From", "value": msg["from"]["address"]},
                {"name": "Auth", "value": msg["headers"].get("authentication-results", "n/a")}
            ],
            "text": (msg.get("text") or "")[:600]
        }]
    }
    r = requests.post(webhook_url, json=card, timeout=10)
    if r.status_code == 429:
        raise RuntimeError("rate limited")
    r.raise_for_status()

7) Handle attachments safely

  • Never inline sensitive attachments into chat. Upload to S3 and share a short-lived presigned URL only to authorized users.
  • Compute and record attachment hashes for integrity checks.
  • Enforce size limits and content type allowlists when downloading.
// example S3 presign
import { S3Client, PutObjectCommand } from "@aws-sdk/client-s3";
import { getSignedUrl } from "@aws-sdk/s3-request-presigner";

async function storeAttachment(att) {
  const key = `attachments/${att.sha256}/${att.filename}`;
  // stream download then upload to S3...
  const url = await getSignedUrl(new S3Client({}), new PutObjectCommand({
    Bucket: process.env.BUCKET, Key: key, ContentType: att.contentType
  }), { expiresIn: 3600 });
  return { bucketKey: key, uploadUrl: url };
}

8) Error handling, retries, and DLQ

  • Use exponential backoff with jitter for transient destination errors.
  • Mark non-retryable statuses like 400 as failed immediately.
  • Send failures to a DLQ with the idempotency key and minimal context. Provide operators with a replay tool that pulls from DLQ and re-queues with a new attempt window.

9) REST polling alternative

If you cannot expose a public webhook, poll a REST endpoint on a schedule. Use ETags or since cursors to minimize re-fetching. Process messages in FIFO order, acknowledge only after successful enqueue, and apply the same idempotency keys used for webhooks.

10) Testing strategy

  • Unit test predicates with a suite of sample payloads that cover edge cases - missing headers, non-UTF8 text, and nested multiparts.
  • Run integration tests against Slack and Teams webhooks in a sandbox workspace with artificial rate limit responses injected.
  • Record a golden master set of emails that represent your top senders and formats, then compare normalized JSON fields in CI.

Integration with Existing Tools

Backend teams rarely start from scratch. Here are practical hooks to tie email parsing into your stack:

  • Queueing and workers: Push incoming messages to SQS, RabbitMQ, or Kafka. Use worker pools with concurrency limits per destination to respect rate limits.
  • Workflow engines: For complex escalations, enqueue into Temporal or Celery. Model retries and handoffs as activities with circuit breakers.
  • Config stores: Store rules and destinations in Postgres or Redis. Wrap updates in feature flags for safe rollout.
  • Secrets: Keep Slack and Teams webhooks in Vault or AWS Secrets Manager, rotate regularly, and monitor access.
  • SIEM and audit: Emit structured logs to Datadog or ELK. Include message IDs, rule IDs, and destination response codes.

MailParse fits cleanly into these workflows because it provides consistent JSON and multiple delivery methods. You can run webhook ingestion behind a WAF, or poll in a private network and push into your jobs pipeline without custom MIME handling.

For deeper ideas on where to apply inbound parsing in product workflows, see Top Inbound Email Processing Ideas for SaaS Platforms and Top Email Parsing API Ideas for SaaS Platforms. If you are setting up domains and DNS for notifications, use the Email Infrastructure Checklist for SaaS Platforms to avoid common pitfalls.

Measuring Success

Define KPIs that reflect routing reliability and signal-to-noise ratio. Track them with Prometheus or your preferred stack:

  • End-to-end latency: p50 and p99 from email receipt to destination acknowledgment. Metric example: notify_latency_seconds with labels for destination.
  • Delivery success rate: percentage of messages acknowledged by Slack or Teams. Metric example: notify_dispatch_success_total and notify_dispatch_fail_total.
  • Duplicate suppression: count of deduped events versus total. Metric example: notify_deduped_total.
  • Rule match coverage: percentage of emails that match at least one rule. Alert when unmatched rate exceeds a threshold.
  • Spam and unauthenticated drop rate: messages discarded due to failing SPF or DKIM.
  • Backlog depth: queued dispatch jobs per destination, and time-to-clear following an incident.
  • Cost per routed event: worker time plus external API usage, used to tune batching and rate limits.

Instrument each stage with a correlation ID, typically the email message-id or the event id, to stitch logs and traces across parsing, rules, and dispatch.

Conclusion

Notification routing gives backend-developers a reliable way to turn unstructured email into structured, actionable events across chat and incident tools. By separating parse, rules, and dispatch, and by implementing idempotency, retries, and strong security, your team can ship a resilient pipeline that scales with traffic and organizational complexity. MailParse delivers the normalized email JSON and transport flexibility you need, so you can focus on rules, destinations, and developer experience.

FAQ

How do I secure the webhook endpoint?

Use TLS, validate an HMAC signature over the raw body, require a narrow timestamp window, and keep the secret in a managed store. Enforce an IP allowlist if practical, and return 202 quickly to avoid long-running requests. For extra defense, place the endpoint behind a WAF and apply rate limits per source.

How should I handle malformed or exotic MIME structures?

Rely on the parser's normalized fields and treat missing parts as optional. Always prefer text when available, fall back to sanitizing html with a safe list. Store raw headers for forensic analysis. Add test fixtures for tricky senders, then extend your rule engine predicates to avoid brittle matching on presentation text.

What is the best strategy for multi-tenant routing?

Map each inbound address to a tenant context in your database. Namespacing rules by tenant_id ensures isolation. Sign outgoing notifications with a tenant-scoped key. In logs and metrics, include tenant labels and enforce per-tenant rate limits to prevent noisy neighbors.

How do I avoid rate limits when posting to Slack or Teams?

Use a per-destination queue and worker pool with a small concurrency cap. When you receive 429, honor Retry-After and apply exponential backoff with jitter. Implement a token bucket or leaky bucket algorithm to smooth bursts. Batch similar notifications when possible, linking to a consolidated dashboard for details.

Can I start with webhooks and later move to polling?

Yes. Abstract the input edge behind a message queue. Whether your service pushes to a webhook or you pull via REST, normalize to the same internal job format. When you switch modes, your rules and dispatchers remain unchanged, which makes transitions predictable.

Build, measure, and iterate with a small set of high-value rules first, then expand coverage as patterns emerge. With MailParse providing parsed email JSON and flexible delivery methods, backend engineers can deliver reliable notification-routing without building their own email stack.

Related Articles

Email Deliverability Checklist for SaaS Platforms

This checklist helps SaaS teams ensure reliable email receipt by aligning domain strategy, DNS, SMTP security, MIME parsing, and webhook delivery with produc...

Email Infrastructure Checklist for SaaS Platforms

Use this checklist to design and operate a scalable email infrastructure for SaaS platforms that rely on inbound messages to drive product workflows. It cove...

Email Infrastructure Checklist for Customer Support Teams

This checklist helps customer support leaders build reliable email infrastructure that scales with ticket volume while protecting SLAs. It focuses on MX reco...

Ready to get started?

Start parsing inbound emails with MailParse today.

Get Started Free