fairlane.systems

BREVO · HOW-TO

Set up Brevo SMTP: DNS, DKIM, DMARC, Nodemailer test and bounce webhooks (May 2026)

Step-by-step guide from DNS records via Hetzner firewall whitelisting to a Nodemailer test, with production tips for dedicated IP and bounce webhook in n8n.

Researched & fact-checked by: · As of: 2026-05

What is this about?

This guide takes an SME IT from an empty domain to a production-ready email pipeline. You register a Brevo account with EU hosting, set SPF, DKIM and DMARC in Cloudflare DNS, whitelist Brevo IPs in the Hetzner firewall, test sending with Nodemailer and configure the bounce webhook for n8n. The result is a mail pipeline delivering 95-98% to the inbox.

The guide targets three use cases. First: a fiduciary application that automatically sends client communication (login, reminders, quarterly mail). Second: an SME with its own website and contact form forwarding entries to sales by mail. Third: an n8n workflow sending mail on trigger events (e.g. dunning reminders, lead welcome).

Prerequisites: a domain managed in Cloudflare (DNS, not web proxy), a Brevo account (free is enough to test, Starter EUR 19/month for production), an application that speaks SMTP (Node.js + Nodemailer in the example; PHP + PHPMailer, Python + smtplib or n8n + Send Email Node work analogously). Setup time: 2-4 hours net plus 24-48 hours DNS propagation.

Why DNS setup matters so much

Email delivery has been a DNS game since 2024. Gmail and Yahoo introduced strict SPF/DKIM/DMARC requirements in February 2024; Microsoft (Outlook, Office 365) followed in 2025. A domain without correctly set DNS records lands in spam 60-80% of the time – regardless of content cleanliness or sender provider.

Specifically: SPF must list the authorised senders (Brevo, possibly Bexio for invoices, possibly your own server for system mail). DKIM cryptographically signs every mail so Gmail can verify the domain actually allowed the send. DMARC tells recipients what to do with SPF/DKIM failures (quarantine or reject) and delivers reports on which IPs send in your name – important for spoofing detection.

The second lever is EU hosting for compliance. Brevo (formerly Sendinblue) hosts in France (Paris and Strasbourg, AWS eu-west-3 / OVH). For Swiss applications under professional secrecy or revDSG: no US provider in the transit chain for transactional mail. A TIA (transfer impact assessment) gets simpler because no US cloud is in the path. Versus Postmark or Mailgun (both US hosting), Brevo is the clean path for DACH SMEs.

The third point is bounce handling. Anyone failing to remove hard bounces (non-existent addresses) from the sender list erodes reputation. Brevo does that automatically and delivers webhook events for bounce, complaint, delivered, opened, clicked – these events land in n8n and trigger follow-up actions (e.g. mark address as invalid in CRM, or kick off manual review on spam complaint).

How the pipeline is structured

The architecture has four layers: Brevo account and SMTP key, DNS records in Cloudflare, application config with Nodemailer, bounce webhook in n8n.

Brevo account: free plan is enough to test (300 mails/day, 9,000/month). For production Starter at EUR 19/month (20,000 mails/month, no Brevo footer branding). Confirm EU hosting at account setup (cannot be changed later). Generate the SMTP key under "SMTP & API → SMTP" – a dedicated key for SMTP auth, not the account password.

DNS records in Cloudflare: four entries, all DNS-only (grey cloud). SPF record as TXT on @: `v=spf1 include:spf.brevo.com -all`. DKIM record as TXT on `mail._domainkey`: the value comes from the Brevo dashboard, an RSA public key representation in p=... format. DMARC record as TXT on `_dmarc`: initially `v=DMARC1; p=none; rua=mailto:[email protected]; pct=100`, after 14 days of observation move to `p=quarantine`, later `p=reject`. Optionally: BIMI record for logo display in Gmail/Yahoo (requires VMC certificate, ~USD 1,500/year – usually not relevant for SMEs).

Application config: in Node.js with the Nodemailer library. createTransport with host `smtp-relay.brevo.com`, port 587 (STARTTLS) or 465 (SMTPS), user the Brevo account email, pass the SMTP key from step 1. The From header MUST be a validated sender address on the domain (e.g. [email protected]) or Brevo rejects. Reply-To can be another address, e.g. for replies to sales or support.

Hetzner firewall whitelisting: if the application runs on Hetzner with restricted outbound ports (587/465 outbound), the firewall must allow Brevo IPs. Brevo publishes the IP range at status.brevo.com – as of May 2026 essentially 4 /24 blocks. In the Hetzner cloud firewall allow outbound TCP 587 (or simpler: allow outbound 587 in general, less sensitive than inbound).

Bounce webhook in n8n: in Brevo under "Settings → Webhooks" create a new webhook. URL: an n8n workflow with a webhook trigger node. Events: hardBounce, softBounce, complaint, delivered, opened, clicked. The workflow filters on hardBounce and complaint, writes to a Postgres table and marks the address as invalid in the internal CRM.

Test and monitoring: before go-live, once at Mail-Tester.com – score must be 10/10, otherwise DNS records are wrong. Monthly glass-box test via GMX/Web.de/Gmail/Outlook: do mails land in the inbox? The Brevo dashboard shows delivery rate (target > 95%), bounce rate (target < 2%), spam rate (target < 0.1%). Alarm on spam rate > 0.1% – can lead to account suspension.

Set up Brevo SMTP in 11 steps

  1. 01Step 1 – create Brevo account: at brevo.com create an account. In account settings confirm "EU Data Hosting" (cannot be changed later). Complete identity verification (phone, business address) – Brevo checks first-timers manually, may take 24-48h.
  2. 02Step 2 – add sender domain: in the Brevo dashboard "Senders & IP → Domains" → "Add a domain". Enter the domain (your-domain.ch). Brevo shows DNS records to set: SPF, DKIM, a Brevo verification TXT.
  3. 03Step 3 – set DNS records in Cloudflare: open Cloudflare DNS, select the domain. SPF as TXT on @: `v=spf1 include:spf.brevo.com ~all` (initial ~all = soft fail, later -all = hard fail). DKIM as TXT on `mail._domainkey` with the p=... value supplied by Brevo. Set the Brevo verification TXT. All as DNS-only (grey cloud), not proxied.
  4. 04Step 4 – set DMARC: TXT record on `_dmarc`: `v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1; pct=100`. Important: `p=none` initially for 14 days of observation. Set up a DMARC mailbox (Brevo itself or your own) to receive aggregate reports.
  5. 05Step 5 – verify DNS propagation: `dig TXT your-domain.ch +short`, `dig TXT mail._domainkey.your-domain.ch +short`, `dig TXT _dmarc.your-domain.ch +short`. When values appear, click "Verify" in the Brevo dashboard. With Cloudflare typically 5-30 minutes, rarely up to 24h.
  6. 06Step 6 – generate SMTP key: in Brevo under "SMTP & API → SMTP" → "Generate a new SMTP key". Name it (e.g. "production-fairlane"). Copy the key, store safely in the application .env (`BREVO_SMTP_KEY=xkeysib-...`). User is the account email.
  7. 07Step 7 – allow Hetzner outbound 587/465: in the Hetzner cloud console open the server firewall, allow outbound TCP 587 (STARTTLS) and 465 (SMTPS) to 0.0.0.0/0. Alternatively whitelist only the Brevo IPs from status.brevo.com.
  8. 08Step 8 – Nodemailer test: Node.js test script: `const nodemailer = require("nodemailer"); const t = nodemailer.createTransport({host:"smtp-relay.brevo.com",port:587,secure:false,auth:{user:process.env.BREVO_USER,pass:process.env.BREVO_SMTP_KEY}}); await t.sendMail({from:"[email protected]",to:"[email protected]",subject:"Brevo test",text:"Hello, this is a test."});`. Fetch the Mail-Tester.com score – must be 10/10.
  9. 09Step 9 – production tips dedicated IP: above 100k mails/month book a dedicated IP pool (Brevo Business, EUR 25 extra per IP). Reputation warm-up over 4-8 weeks: days 1-7 below 1,000 mails, days 8-14 below 5,000, then ramp linearly. Without warm-up the new IP starts in spam.
  10. 10Step 10 – bounce webhook in n8n: in Brevo under "Settings → Webhooks" a new webhook. URL: n8n webhook endpoint (e.g. https://n8n.your-domain.ch/webhook/brevo-bounces). Events: hardBounce, complaint. In n8n: webhook trigger → IF on event=="hardBounce" → Postgres insert into invalid_emails table → CRM API call to mark the address.
  11. 11Step 11 – monitoring and DMARC tightening: after 14 days of observation move DMARC to `p=quarantine`, after 30 more issue-free days to `p=reject`. Check the Brevo dashboard daily for spam rate (target < 0.1%) and delivery rate (target > 95%). Alert via Telegram on spam rate > 0.05%.

When Brevo is the right tool

Brevo fits when (a) volume sits between 300 and 200,000 mails per month, (b) EU hosting is wanted for compliance and (c) the use case is transactional (login, order, invoice, dunning, reminder).

Typical cases: a client platform with 200 login resets per month and 500 quarterly reminders. An n8n workflow that emails sales on each new lead (50 leads/day = 1,500/month). A MyWork.Now booking platform with confirmations.

Above 200k mails/month, AWS SES pays off (USD 0.10 per 1,000 mails) – but that is US hosting. With mandatory EU hosting: Brevo Business plan with dedicated IP pool. For pure marketing newsletters (lists, segmentation, A/B tests), Mailjet or Klaviyo serve better – Brevo's marketing module is not the strongest.

When Brevo is not the right tool

Brevo does not fit when (a) volume is very small (< 50 mails/month) – own mail server or a Gmail SMTP is enough. (b) extremely low latency below 500 ms is required (real-time notifications) – in-app channels or push notifications fit better. (c) heavy marketing sends with complex segmentation are needed – Klaviyo or Customer.io fit better.

More pitfalls: running the free plan in production – the 300/day limit hits, a quarterly reminder wave fails silently. Using the account login password as SMTP password – not rotatable, account lost on leak. Setting DMARC to `p=reject` immediately – before 14 days of observation, legitimate mail gets blocked because a forgotten subdomain SPF is not covered. Ignoring spam complaints – above 0.1% complaint rate Brevo suspends the account.

Trade-offs

STRENGTHS

  • EU hosting in FR – documentable for revDSG/TIA
  • Free plan 300 mails/day is enough for tests and small apps
  • DKIM/SPF/DMARC guided in the dashboard, no own mail-server work
  • Webhook bounce handling out of the box, n8n-ready

WEAKNESSES

  • Price per mail rises above AWS SES from 100k/month onward
  • Suspension on spam complaints above 0.1% – account risk
  • Account approval can take 24-48h
  • Marketing automation is weak compared with Klaviyo

FAQ

What if Mail-Tester.com does not show 10/10?

Three standard issues. (1) SPF does not list all senders: if you also send via Bexio (invoices) or your own mail server, the SPF record must list all three: `v=spf1 include:spf.brevo.com include:_spf.bexio.com mx -all`. (2) DKIM public key not found: DNS propagation not complete (re-dig), or typo in the selector (`mail._domainkey`, not `mail_domainkey`). (3) DMARC missing or syntactically wrong: re-check exact syntax, `v=DMARC1;` at the start is required.

Do I need a dedicated IP?

Only from about 100,000 mails per month. Below that, Brevo's shared IP reputation is better than a cold dedicated IP. Pros of dedicated: full reputation control (no co-senders can damage). Cons: 4-8 weeks of warm-up, no DKIM protection if volume stays small. Rule of thumb: go dedicated only once you consistently send > 50k mails/month and have measurable issues on the shared IP.

What to do if the account gets suspended?

Cause almost always: spam complaint rate > 0.1% or hard bounce rate > 5%. On suspension: (1) contact Brevo support (typically reply within 24h). (2) analyse the last 7 days of logs, identify problematic senders or content. (3) export the bounce list and delete all hard bounces from your own database. (4) restart with a clear plan and reduced volume. Working prophylactically: monthly bounce cleanup and mail content review.

Brevo vs AWS SES vs Postmark?

Brevo: EU hosting, EUR 19/month fixed, good UI, useful free tier. AWS SES: USD 0.10 per 1,000 mails, cheap at volume, US hosting (Frankfurt region available as eu-central-1), thin UI. Postmark: USD 15/month for 10,000 mails, very fast delivery, US hosting. For a Swiss SME with revDSG sensitivity: Brevo. For pure cost optimisation with US acceptance: SES eu-central-1.

Related topics

BREVO · TECH STACKBrevo SMTP: transactional email from EU hosting for SME appsCLOUDFLARE · TECH STACKCloudflare as DNS, reverse proxy, and WAF: SSL modes, cache rules, origin certificatesHETZNER · TECHHetzner as EU hosting for Swiss fiduciaries and SMEs: data centres, contracts, costN8N · TECHn8n: workflow automation with 600+ integrations, self-hostable under EU lawCLOUDFLARE · HOW-TOSet up Cloudflare with your own domain: DNS, SSL, WAF, Workers KV and Tunnel (May 2026)N8N · HOW-TOn8n self-host with Bexio integration: from Docker-Compose to a dunning workflow (May 2026)revDSG · COMPLIANCErevDSG / revFADP and AI: what the revised Swiss Data Protection Act means for LLM use

Sources

  1. Brevo Documentation – SMTP relay configuration · 2026-05
  2. Brevo – EU Data Protection and GDPR commitments · 2026-04
  3. Google – Email sender guidelines (SPF/DKIM/DMARC since 2024) · 2026-03
  4. Mail-Tester.com – Inbox placement scoring · 2026-05
  5. Nodemailer documentation – SMTP transport options · 2026-04

FITS YOUR STACK?

What this looks like in your business – a 30-minute intro call.

Book a call