Channels
Create and configure email channels with provider settings, sender identity, and rate limits.
Channels
Channels are the delivery infrastructure for your emails. Each channel connects CeramicCRM to an email provider (Amazon SES, SMTP, or MTA-API) and defines the sender identity, rate limits, and tracking settings.
Creating a Channel
- Log in to CeramicCRM
- Navigate to Channels in the left sidebar
- Click Create Channel
- Fill in the configuration sections described below
- Click Create
- Click Activate to enable the channel for sending
Channel Configuration
Basic Information
| Field | Required | Description |
|---|---|---|
| Name | Yes | A descriptive name for the channel (e.g., "Production Marketing Email") |
| Description | No | Internal notes about the channel's purpose |
| Channel Type | Yes | Currently only Email is supported |
| Use Case | Yes | Marketing (campaigns), Transactional (system emails), or OTP (one-time passwords) |
Provider Configuration
Select your email provider and enter the credentials. Each provider requires different fields.
Amazon SES
The recommended provider for production use. See Amazon SES Setup for the full setup tutorial including IAM user creation and domain verification.
| Field | Required | Description |
|---|---|---|
| AWS Region | Yes | The AWS region where your domain is verified (e.g., eu-north-1, us-east-1) |
| Access Key ID | Yes | IAM user access key with ses:SendEmail permission |
| Secret Access Key | Yes | IAM user secret key (encrypted at rest with AES-256-GCM) |
| Configuration Set | No | SES Configuration Set name for bounce/delivery tracking |
Provider Config JSON (for API usage):
{
"region": "eu-north-1",
"access_key_id": "AKIA...",
"secret_access_key": "wJalr...",
"configuration_set_name": "ceramiccrm-tracking"
}SMTP
Connect to any standard SMTP server (Mailgun, SendGrid, Postmark, your own mail server, etc.).
| Field | Required | Description |
|---|---|---|
| Host | Yes | SMTP server hostname (e.g., smtp.mailgun.org, smtp.sendgrid.net) |
| Port | Yes | SMTP port: 587 (STARTTLS), 465 (TLS), or 25 (unencrypted) |
| Username | Yes | SMTP authentication username |
| Password | Yes | SMTP authentication password (encrypted at rest) |
| TLS | No | Enable direct TLS connection (port 465) |
| StartTLS | No | Enable STARTTLS upgrade (port 587, recommended) |
| Auth Method | No | Authentication method: PLAIN (default), LOGIN, or CRAM-MD5 |
Provider Config JSON (for API usage):
{
"host": "smtp.mailgun.org",
"port": 587,
"username": "postmaster@yourdomain.com",
"password": "your-smtp-password",
"start_tls": true,
"auth_method": "PLAIN"
}MTA-API
Connect to an HTTP-based mail transfer agent API.
| Field | Required | Description |
|---|---|---|
| Base URL | Yes | The MTA API endpoint (e.g., https://mta.yourdomain.com) |
| API Token | Yes | Authentication token for the MTA API (encrypted at rest) |
Provider Config JSON (for API usage):
{
"base_url": "https://mta.yourdomain.com",
"api_token": "your-api-token"
}Sender Configuration
These fields define the sender identity that recipients see.
| Field | Required | Description |
|---|---|---|
| From Email | Yes | The sender email address (e.g., noreply@yourdomain.com). Must use a verified domain. |
| From Name | Yes | The display name recipients see (e.g., CeramicCRM, Your Company) |
| Reply-To Email | No | Where replies go. If empty, replies go to the From Email address. |
| Sending Domain | No | Your verified sending domain (e.g., yourdomain.com). Used for DNS verification and domain authentication. |
Throttling (Rate Limits)
Control how fast emails are sent through this channel. This prevents overwhelming your email provider and helps maintain sender reputation.
| Field | Default | Max | Description |
|---|---|---|---|
| Messages Per Second | 50 | 10,000 | Maximum emails sent per second. This is the primary rate control — enforced during campaign execution. |
| Messages Per Hour | 100,000 | 10,000,000 | Hourly sending cap. |
| Daily Limit | 1,000,000 | 10,000,000 | Maximum emails per day. |
| Burst Size | 100 | 10,000 | Maximum burst of emails in a short window. |
Note: Currently, only Messages Per Second is fully enforced during campaign execution via the token bucket rate limiter. Messages Per Hour, Daily Limit, and Burst Size are stored and validated but not yet enforced as sliding windows. Full enforcement is planned for a future release.
Tracking Settings
| Field | Default | Description |
|---|---|---|
| Track Opens | Off | Insert a tracking pixel to detect when recipients open the email |
| Track Clicks | Off | Wrap links with tracking URLs to detect clicks |
| Custom Tracking Domain | — | Use your own domain for tracking links (e.g., track.yourdomain.com) instead of the default |
Fallback Channel
| Field | Description |
|---|---|
| Enable Fallback | When enabled, if this channel fails to send, the message is retried through the fallback channel |
| Fallback Channel | Select another active channel to use as fallback |
Channel Lifecycle
Status Management
Channels go through these statuses:
| Status | Description |
|---|---|
| Setup | Newly created, not yet activated |
| Active | Ready to send emails |
| Inactive | Manually deactivated, cannot send |
- Activate: Changes status from Setup → Active or Inactive → Active
- Deactivate: Changes status from Active → Inactive
Only Active channels can send emails. Campaigns will fail if their assigned channel is not active.
DNS Verification
When you set a Sending Domain, CeramicCRM checks several DNS records:
| Record | Purpose |
|---|---|
| CERAMICTXT | CeramicCRM's own domain ownership verification. Add a TXT record at _ceramic.yourdomain.com with the value shown in the DNS Authentication panel. |
| SPF | Sender Policy Framework — authorizes your email provider to send on behalf of your domain |
| DKIM | DomainKeys Identified Mail — cryptographic signature proving email authenticity |
| DMARC | Domain-based Message Authentication — policy for handling failed SPF/DKIM checks |
Click Verify on the channel detail page to check all DNS records. See the in-app instructions panel for the exact records to add.
Health Check
Click Health Check on the channel detail page to verify provider connectivity. The health check shows:
- Provider status — green checkmark if healthy, red X if unreachable
- Sending quota — daily limit, sent today, and remaining (for SES)
- Latency — response time to the provider in milliseconds
- Circuit breaker state — whether the provider failover circuit is open or closed
You can also check health via the API:
curl http://localhost:8080/api/v1/channels/{id}/health \
-H "Authorization: Bearer <accessToken>" \
-H "X-Workspace-ID: 1"Creating a Channel via API
You can also create channels programmatically:
curl -X POST http://localhost:8080/api/v1/channels \
-H "Authorization: Bearer <accessToken>" \
-H "X-Workspace-ID: 1" \
-H "Content-Type: application/json" \
-d '{
"name": "Production Email",
"channelType": "email",
"providerType": "ses",
"useCaseType": "marketing",
"providerConfig": {
"region": "eu-north-1",
"access_key_id": "AKIA...",
"secret_access_key": "..."
},
"fromEmail": "noreply@yourdomain.com",
"fromName": "Your Company",
"replyToEmail": "support@yourdomain.com",
"sendingDomain": "yourdomain.com",
"messagesPerSecond": 50,
"trackOpens": true,
"trackClicks": true
}'After creation, activate the channel:
curl -X POST http://localhost:8080/api/v1/channels/{id}/activate \
-H "Authorization: Bearer <accessToken>" \
-H "X-Workspace-ID: 1"Security
- Provider credentials are encrypted at rest using AES-256-GCM with key rotation support
- Credentials are never returned in API responses — the
providerConfigfield is excluded from all GET endpoints - SSRF protection prevents using private/internal IP addresses in provider URLs
Related Documentation
- Amazon SES Setup — detailed AWS setup tutorial
- Campaigns — how to send email campaigns using channels
- Channel API Reference — API endpoint documentation