Email over API

The Infobip Email API allows you to send transactional and marketing emails programmatically using either the HTTP API or the SMTP API. Both options provide secure and scalable ways to deliver personalized, trackable emails to your recipients.

What you can do with the Email API

Use the Email API to:

• Automate transactional notifications, such as order confirmations, password resets, and alerts
• Send personalized marketing campaigns
• Manage bulk email delivery at scale
• Track delivery, opens, and clicks in real time

Prerequisites

Before sending emails over the API, ensure that your sending domain is verified and active in the Infobip system.

You can verify your domain in the User profile section of your Infobip account.

Technical specifications and best practices

• Message size: Maximum 10 MB (including attachments)
• Attachments: Supported types: .pdf, .docx, .xlsx, .txt, .jpg, .png, .gif
• Unsubscribe: Always include an unsubscribe link in marketing emails to comply with anti-spam laws
• Verified sender domains: Ensure DNS and SPF/DKIM records are properly configured for better deliverability
• Rate limits: Check your account’s sending limits to avoid throttling

Choosing between HTTP API and SMTP API

HIPAA-eligible Email API

The Email API supports a dedicated HIPAA-eligible deployment designed for sending messages that contain Protected Health Information (PHI). When using the HIPAA-eligible email endpoint, the platform applies additional safeguards to protect sensitive data throughout message processing and delivery.

HIPAA-eligible email services support the transmission of PHI only within the limits defined in this section. Any feature, functionality, or use case not explicitly listed as supported is excluded from HIPAA-eligible email services and must not be used to transmit, process, or store PHI.

This capability is intended for anyone operating under HIPAA requirements and is used together with appropriate contractual agreements, such as a Business Associate Agreement (BAA).

Key characteristics

• Dedicated HIPAA endpoint for PHI traffic
• Tight data-minimization practices - message payloads and content are not stored or indexed in standard logs
• No content upload to shared content services within the HIPAA flow
• Encrypted handling of attachments and stored artifacts during processing
• Restricted features that could expose message content (for example, browser-based content previews are disabled)

HIPAA-eligible email endpoint [#hipaa-eligible-email-endpoint-hipaa-eligible-email-api]

HIPAA-eligible Email API access is provided exclusively through a dedicated, non-public endpoint available only to customers who have completed Infobip's HIPAA onboarding process.

HIPAA-ineligible services and features [#hipaa-ineligible-services-and-features-hipaa-eligible-email-api]

Email used in combination with other Infobip services is excluded from HIPAA-eligible email services unless explicitly stated otherwise in the relevant product description.

The following services and functionalities are not HIPAA-eligible and must not be used with PHI:

• Inbound emails
• Browser-based viewing of message content
• Default placeholders
  • PHI may be included only in recipient-level placeholders when used with HIPAA-eligible email services
• CallbackData API parameter
• Any public, shared, or link-based access to message content
• Active storage
• Archive storage
• Moments, including People attributes, profiles, and catalogs
• Broadcast and Forms
• Unsupported Flow elements, messaging channels, functions, or integrations not expressly designated as HIPAA.

Storage and retention for HIPAA-eligible email [#storage-and-retention-hipaa-eligible-email-api]

Message retention, storage, and archival capabilities may be restricted or disabled to support HIPAA compliance.

Service provider obligations for HIPAA-eligible email services [#service-provider-obligations-hipaa-eligible-email-api]

When providing HIPAA-eligible Email API services, the service is designed and operated in a manner intended to support compliance with the portions of the HIPAA Rules applicable to business associates.

• Any user interfaces provided for composing, accessing, reviewing, sending, and/or receiving emails are designed and operated in a manner intended to comply with the portions of the HIPAA Rules applicable to business associates
• Systems or mechanisms used for temporary storage of emails on systems controlled by the service provider are designed and operated in a manner intended to comply with the portions of the HIPAA Rules applicable to business associates
• The content of emails sent via the HIPAA-eligible email services is encrypted in transit
• The content of emails is encrypted at rest on systems controlled by the service provider

Customer responsibilities for HIPAA-eligible email services [#customer-responsibilities-hipaa-eligible-email-api]

Customers using HIPAA-eligible Email API services acknowledge and agree that:

• The service provider will attempt to deliver emails to the email addresses provided by the customer
• Such email addresses are typically owned, controlled, or operated by third parties with whom the service provider has no contractual relationship
• Delivery of an email to such third-party email providers may constitute a disclosure of PHI under the HIPAA Rules

Customers are solely responsible for determining:

• Whether any disclosure of PHI to third-party email providers is permitted under 45 C.F.R. §§ 164.502–164.512 and other applicable law
• Whether patient authorization and/or consent is required for such disclosures and, if so, whether legally sufficient authorization and/or consent has been obtained
• Whether the scope of disclosure complies with the minimum necessary and other requirements in 45 C.F.R. § 164.514
• Whether any disclosure complies with other applicable laws