All problems
Q8 Messaging & Notifications 28 min read 11 sections
Global Real-Time Notification System — L7 System Design
Deliver push, email, and SMS to a global user base with preferences, fallback policies, and provider-aware retries.
1 Problem Restatement & Clarifying Questions #
Restatement. Build a multi-tenant notification platform that accepts send(user, event) from 100s of internal product services and external tenants, and delivers through push (FCM/APNs), email (SendGrid/SES), and SMS (Twilio/short-code aggregators). Respect per-user channel preferences, quiet hours, category opt-outs. Meet per-priority SLAs. Dedup on ingest and after retry. Provide delivery receipts, webhooks, A/B, template rendering, scheduled sends. 10^8 users, billions/day.
Clarifying questions (I would ask the interviewer — these change the design materially):
| # | Question | Why it changes the design |
|---|---|---|
| Q1 | Tenants: internal product teams (e.g., Gmail, Photos) or external SaaS customers? | Internal → trust payload, simpler RBAC, share infra pool. External → strict multi-tenancy, per-tenant Kafka quotas, chargeback, stricter template XSS review. Assume: both, but start with ~200 internal teams and graduate to external. |
| Q2 | Critical transactional (2FA, security alert, delivery notif) vs marketing/promo ratio? | Transactional must be p99 < 5s with no-loss durability. Marketing is best-effort, bursty, schedulable, subject to global campaign throttling. Assume: 20% transactional, 80% marketing by volume; inverse by priority weight. |
| Q3 | Per-channel SLA commitment? | Push: p99 ingest → attempt < 2s. Email: < 30s. SMS: < 10s (2FA use case). Scheduled: within 30s of schedule_at. |
| Q4 | Regulatory regime? CAN-SPAM (US email), TCPA (US SMS, written consent), GDPR (EU, RTBF, consent proof), CASL (Canada), LGPD (Brazil)? | Forces per-region data residency, consent proof storage (audit 3-7yr depending on regime), unsubscribe-link one-click (RFC 8058), SMS quiet-hours legal minimums (TCPA: no calls 9pm-8am recipient local), and the hard one: right-to-be-forgotten must propagate into provider logs and Kafka compacted topics. |
| Q5 | Multi-region active-active or regional homing per user? | Regional homing (user has a home region) simplifies preferences read-your-write and GDPR residency. Active-active fan-out is what's actually needed for global campaigns. Assume: user home-region for preferences/events; workers are regionally anchored to providers. |
| Q6 | Template system: tenant-authored, with variable substitution + localization (100+ locales)? | Yes — template service is a first-class control plane. Versioned, rolled out via canary. Sandboxed rendering (no code execution; Jinja2-sandboxed or Handlebars, not Python eval). |
| Q7 | Scheduled and campaign sends? | Yes — scheduler service with look-ahead materialization; separate from on-demand path. |
| Q8 | Provider cost sensitivity? | Extreme. SMS is ~$0.0075/msg, email is ~$0.0001/msg. At 10^9 SMS/day that's $7.5M/day. Cost monitoring is first-class, not afterthought. |
| Q9 | Is ordering required within a user? | Generally no — notifications are semantically independent. But within a conversation (e.g., "new message" then "message edited"), last-write-wins deduplication is expected. I'll handle this with collapse keys. |
| Q10 | Does the platform own provider relationships or does the tenant BYO-provider? | Platform owns for shared volume discount, but supports BYO-provider for enterprise tenants with existing contracts. |
Assumptions I'll commit to for the rest of the design (explicitly stated so the interviewer can challenge):
- 10^8 DAU, 10^9 MAU, 10^10 notifications/day
- 20% transactional (2×10^9/day), 80% marketing (8×10^9/day)
- 3 regions (US, EU, APAC), user home-region model
- Multi-tenant internal-first; external tenants later
2 Functional Requirements #
In-scope (numbered, will be referenced later):
- FR1 — Transactional send:
send(tenant_id, event)for individual user; idempotent onidempotency_key; p99 ingest→attempt ≤ 5s (critical priority). - FR2 — Campaign / bulk send:
send_campaign(tenant_id, campaign_spec)for a segment of users; throttled; scheduled. - FR3 — Multi-channel fan-out: One event → zero-or-more delivery attempts across {push, email, SMS}, guided by user prefs + event config.
- FR4 — Multi-channel fallback ladder: If push fails (token invalid, app uninstalled), fallback to email; if email bounces, fallback to SMS (for critical only, cost-aware).
- FR5 — User preferences: Per-channel opt-in, per-category opt-in, per-channel quiet hours, timezone-aware.
- FR6 — Quiet hours: Suppress non-critical during recipient-local quiet hours; critical override configurable per category.
- FR7 — Deduplication: Ingest-time (by
idempotency_key) and delivery-time (bydelivery_id = hash(event_id, channel, recipient)). - FR8 — Per-provider rate limiting: Respect FCM/APNs/Twilio/SendGrid quotas; share quota across workers; handle 429s.
- FR9 — Delivery status tracking: States {QUEUED, DISPATCHED, ACCEPTED, DELIVERED, FAILED, BOUNCED, OPENED, CLICKED}; ingest provider webhooks.
- FR10 — A/B testing: Variant selection at send time (template variant A/B); outcome tracking hooked to delivery + open/click events.
- FR11 — Template rendering: Versioned templates per tenant per channel per locale; variable substitution; XSS/injection safe.
- FR12 — Scheduled sends:
schedule_atin future up to 30 days; timezone-aware campaigns. - FR13 — Triggered sends: Listen on tenant's domain events via Kafka; translate to
send(). - FR14 — Provider abstraction: Add/remove providers (e.g., switch primary SMS from Twilio to MessageBird) without tenant changes.
- FR15 — Webhooks to tenant: Notify tenant of delivery milestones (delivered, opened, clicked, failed) via outbound webhook.
Out-of-scope (explicit):
- Contact list hygiene / address validation beyond syntactic (that's a separate CDP problem).
- Unsubscribe link legal text authoring (product / legal owns).
- In-app / WebSocket inbox (separate system — that's a real-time presence problem with different consistency needs; call it out and defer).
- CRM segmentation beyond simple audience queries (delegate to a segmentation service; accept segment result sets).
- Voice / fax / physical mail.
3 NFRs + Capacity Estimate #
3.1 NFRs
| NFR | Target | Notes |
|---|---|---|
| Availability (ingest API) | 99.99% | 52m/yr; regional isolation + graceful degrade |
| Availability (dispatch path) | 99.95% | 4.4h/yr; can retry if dispatch down |
| Durability (critical events) | 11-9s until ack'd to provider | Outbox + Kafka replication (RF=3) |
| Latency — ingest p99 | 50ms | Synchronous to outbox, async to Kafka |
| Latency — critical end-to-end p99 | 5s ingest → provider accept | Transactional |
| Latency — marketing p99 | 60s ingest → provider accept | Acceptable |
| Latency — scheduled | ≤ 30s after schedule_at |
Look-ahead materialization |
| Dedup semantics | Exactly-once effective (at-least-once dispatch + idempotent delivery_id + provider-side collapse) | Full exactly-once is impossible; we design for "user never sees dupes" not "dispatch only fires once" |
| Consistency — preferences | Read-your-write within region; eventual cross-region (< 10s) | Critical: user flips opt-out, must not re-enable |
| Preference read latency p99 | 5ms | Cache-fronted |
| Provider rate-limit compliance | 100% (no 429 bleed to tenant) | Token bucket + back-pressure |
| Cost accounting | Per-tenant, per-channel, per-template, daily | Chargeback + anomaly detection |
3.2 Back-of-envelope math (calculated, not asserted)
Throughput.
- 10^10 notifs/day = 10^10 / 86400 ≈ 1.16 × 10^5 notifs/sec avg
- Peak 10× (US evening + EU morning overlap, or Black Friday) = 1.16 × 10^6 notifs/sec
- Sustained 3× (peak hour) ≈ 3.5 × 10^5 notifs/sec
Per-channel split (assume): Push 60%, Email 30%, SMS 10%.
- Push avg = 70K/s, peak = 700K/s
- Email avg = 35K/s, peak = 350K/s
- SMS avg = 12K/s, peak = 120K/s
Fan-out factor: 1 event → 1.2 delivery attempts avg (some multi-channel). So deliveries/day ≈ 1.2 × 10^10.
Storage.
- Event row ≈ 2KB (template_id, payload JSON, metadata). 10^10 × 2KB = 20 TB/day raw.
- Delivery row ≈ 500B. 1.2 × 10^10 × 500B = 6 TB/day raw.
- With compression (Snappy 3×) and retention (90d hot, 2yr cold): hot ≈ (20+6)/3 × 90 = ~780 TB hot, cold: lifecycle to GCS coldline / S3 Glacier, ~6 PB compressed 2yr.
- Preferences: 10^9 users × ~1KB = 1 TB, fits 1 Spanner instance + Redis cache.
- Templates: 100K templates × 10KB = 1 GB. Trivial — in memory / CDN-edge cached.
Kafka sizing.
- Peak 1.16M msgs/s. At 2KB/msg = 2.3 GB/s ingress. RF=3 → 6.9 GB/s replication.
- Partitions: aim for 20MB/s/partition sustained = 120 partitions per high-priority topic minimum; we'll use 256 for headroom and to parallelize consumers. Priority topics (critical.push, critical.email, critical.sms) get dedicated brokers; promotional.* topics share a separate pool to isolate tail latency.
- Retention: 24h on critical (enough to survive provider outages + replay), 6h on promotional.
- Cluster: ~30 brokers per region, 3 regions.
Provider connection pools.
- FCM: HTTP/2 multiplexed, ~1000 streams per connection, ~100 connections per region × 3 regions = 300K concurrent in-flight calls headroom. Actual steady-state: 70K/s × 0.2s p50 latency = 14K concurrent; plenty.
- APNs: HTTP/2, similar pattern. APNs has per-topic-id connection reuse; separate pool per app bundle id.
- SendGrid: SMTP pool (slow) OR HTTPS API (preferred). 200 connections/region.
- Twilio: HTTPS. Per short-code quota is the bottleneck (1 msg/s/short-code for US A2P 10DLC low trust; 100+ for high-trust brand). We provision 10-100 short codes/long codes; this is the real capacity planning variable — covered in section 7.
Workers.
- Push worker: 1 worker sustains ~2000 dispatches/sec (HTTP/2, async). For 70K/s avg + 700K/s peak, need 350 workers peak, across 3 regions = ~120 per region, autoscaled.
- Email worker: ~500/sec per worker (larger payloads). 35K/s avg / 500 = 70 workers; 700 peak.
- SMS worker: ~200/sec per worker (provider-side serialization). Need 60 steady, 600 peak.
Headroom for failover: sized to 2× so one region can take another's load if one region hard-fails.
4 High-Level API #
4.1 Primary send API (gRPC + HTTP/JSON via Cloud Endpoints)
service NotificationService {
// Transactional / on-demand
rpc Send(SendRequest) returns (SendResponse); // unary
rpc SendBatch(SendBatchRequest) returns (SendBatchResponse); // up to 1000 events
rpc SendCampaign(SendCampaignRequest) returns (SendCampaignResponse); // segment-based
// Preferences (owned by Preference service; exposed for SDK convenience)
rpc UpdatePreferences(UpdatePreferencesRequest) returns (UpdatePreferencesResponse);
rpc GetPreferences(GetPreferencesRequest) returns (GetPreferencesResponse);
// Status
rpc GetDeliveryStatus(GetDeliveryStatusRequest) returns (GetDeliveryStatusResponse);
rpc StreamDeliveryEvents(StreamRequest) returns (stream DeliveryEvent); // tenant-side consumer
}
message SendRequest {
string tenant_id = 1; // authenticated principal
string idempotency_key = 2; // required; TTL 24h
string user_id = 3; // tenant-scoped user id
string template_id = 4; // optional if raw_payload given
map<string, string> variables = 5; // template substitutions
repeated Channel channels = 6; // hints; resolver decides final set
Priority priority = 7; // CRITICAL | HIGH | NORMAL | LOW
google.protobuf.Timestamp schedule_at = 8; // optional future send
string category = 9; // for preference filtering (e.g., "security", "promo", "transactional")
string collapse_key = 10; // optional; within window, replace prior
int32 ttl_seconds = 11; // drop if not dispatched within
RawPayload raw = 12; // if no template (trusted tenants only)
map<string,string> metadata = 13; // for audit, cost tagging
ABTestSpec ab_test = 14; // optional variant allocation
}
message SendResponse {
string event_id = 1; // stable, server-generated
SendStatus status = 2; // ACCEPTED | DEDUPED | REJECTED
string dedup_reason = 3;
}
4.2 Idempotency semantics
- Key:
(tenant_id, idempotency_key), TTL 24h, stored in Spanner (strongly consistent) with TTL column + background cleaner. - On duplicate: return the original
event_idandstatus=DEDUPED— client sees idempotent success. - Why Spanner not Redis: dedup must survive cache flush; Redis as optional hot cache in front (5ms p99 vs 25ms). But Redis alone is wrong — failover loses dedup memory, causing double sends on ingress retries. Many teams make this mistake; I've seen a Meta-adjacent incident where a Redis AZ fail caused 400K duplicate SMS in 10 min.
- Alternative considered: client-side UUID with server trust. Rejected — tenants write buggy retry loops that reuse UUIDs on failure, or generate fresh UUIDs on retry. Server-side dedup is non-negotiable.
4.3 Webhook (provider → us)
POST /webhook/<provider>/<tenant?>/ with HMAC signature. Providers have wildly different shapes (SendGrid event array, Twilio form-encoded, FCM doesn't really have webhooks — it has token invalidation reports). Per-provider adapter normalizes to internal DeliveryEvent.
4.4 Tenant outbound webhook (us → tenant)
POST tenant-configured-url with signed body, at-least-once, exponential backoff, DLQ after 24h of failure. Tenants idempotency-key on delivery_id.
5 Data Schema #
5.1 Table design & engine choice
| Table | Engine | Why |
|---|---|---|
events |
Spanner (regional, interleaved under tenants) | Need strong consistency for idempotency dedup + transactional ingest; schema evolution via DDL; cross-table TX with outbox |
outbox |
Spanner (same DB, same TX as events) | Transactional outbox pattern — event+outbox in one TX or neither |
deliveries |
Cassandra (or Bigtable) wide-row by event_id | High-write, append-only, no relational joins needed; per-event delivery timeline fits wide-row; TTL built-in |
user_preferences |
Spanner (authoritative) + Redis (cache) | Rare writes, heavy reads on hot path; need RYW |
preference_change_log |
Spanner (audit) | Consent proof for GDPR/TCPA — 7yr retention, tamper-evident |
templates |
Spanner (authoritative) + CDN/edge cache | Versioned, small, cacheable; atomic publish |
provider_state |
Redis Cluster (ephemeral counters) + Spanner (persistent config) | Rate-limit counters are hot and transient; config is rare-write |
campaigns |
Spanner | Schedules, segment refs, progress tracking |
delivery_status_aggregates |
Bigtable (time-series) | Per-tenant/template/channel/region rollups for analytics |
5.2 Schemas (illustrative, not exhaustive)
-- Spanner: events
CREATE TABLE events (
tenant_id STRING(64) NOT NULL,
event_id STRING(36) NOT NULL,
idempotency_key STRING(128) NOT NULL,
user_id STRING(64) NOT NULL,
template_id STRING(64),
category STRING(64) NOT NULL,
priority INT64 NOT NULL,
payload_json BYTES(MAX), -- pre-rendered NOT stored; variables only
variables_json BYTES(MAX),
channels_requested ARRAY<STRING(16)>,
schedule_at TIMESTAMP,
collapse_key STRING(128),
ttl_seconds INT64,
status STRING(16), -- ACCEPTED, DEDUPED, FAILED_VALIDATION
created_ts TIMESTAMP NOT NULL OPTIONS (allow_commit_timestamp=true),
region STRING(8) NOT NULL,
) PRIMARY KEY (tenant_id, event_id),
ROW DELETION POLICY (OLDER_THAN(created_ts, INTERVAL 90 DAY));
-- Secondary index for idempotency lookup
CREATE UNIQUE INDEX events_idem ON events(tenant_id, idempotency_key);
-- Spanner: outbox (same DB as events, enables same transaction)
CREATE TABLE outbox (
shard_id INT64 NOT NULL, -- 0..N-1 for parallel CDC readers
seq INT64 NOT NULL OPTIONS (allow_commit_timestamp=true),
event_id STRING(36) NOT NULL,
tenant_id STRING(64) NOT NULL,
priority INT64 NOT NULL,
kafka_topic STRING(64) NOT NULL,
payload_ref STRING(256), -- pointer back to events row (no duplication)
published BOOL DEFAULT (false),
) PRIMARY KEY (shard_id, seq);
-- Cassandra: deliveries (wide row per event)
-- CREATE TABLE deliveries (
-- event_id uuid,
-- delivery_id text, -- hash(event_id, channel, recipient)
-- channel text,
-- provider text,
-- recipient_hash blob, -- not raw PII
-- status text,
-- attempts int,
-- last_error text,
-- first_attempt_ts timestamp,
-- last_status_ts timestamp,
-- provider_message_id text,
-- PRIMARY KEY (event_id, delivery_id)
-- ) WITH CLUSTERING ORDER BY (delivery_id ASC)
-- AND default_time_to_live = 7776000; -- 90 days
-- Secondary query pattern: status by (tenant, time). Solved via a second Cassandra table
-- indexed by (tenant_id, date_bucket_hour) → delivery_ids, written async.
Note on PII storage: We store recipient_hash (salted SHA-256 per tenant) for deduplication / reconciliation, NOT raw email/phone/token. Raw recipient lives in the deliveries row only long enough to dispatch; after DELIVERED or terminal FAILED, a privacy worker rewrites the row to hash-only. This is the pattern I championed on Privacy Infra — store the minimum, rotate to minimized form at earliest moment. Section 10 covers right-to-be-forgotten propagation.
5.3 Outbox pattern (mission-critical detail)
The ingest API does one Spanner transaction:
BEGIN TX
INSERT INTO events (...); -- fails on unique idempotency_key → dedup
INSERT INTO outbox (shard_id=hash(event_id)%N, ...);
COMMIT
Separate Debezium-style CDC reader (or Spanner Change Streams) tails the outbox table per shard, publishes to Kafka, marks published=true or deletes. If the publisher crashes mid-publish, on recovery it re-reads unpublished rows — at-least-once to Kafka. Kafka idempotent producer + transactional producer across outbox-mark gives effectively-once to Kafka.
Why not dual-write (write DB + write Kafka)? Because if Kafka is down or slow and the DB write succeeded, you either (a) lose the event, or (b) your API blocks on Kafka. Neither acceptable. The outbox decouples tenant-visible ack (DB commit) from Kafka health.
6 System Diagram — Centerpiece #
6.1 High-level (label every arrow: protocol, events/s at peak, latency target)
┌────────────────────────────────────────────────────────────┐
│ CONTROL PLANE (per region) │
│ │
│ ┌──────────────┐ ┌────────────────┐ ┌────────────────┐ │
│ │ Template Svc │ │ Preference Svc │ │ Scheduler Svc │ │
│ │ (Spanner + │ │ (Spanner + │ │ (Spanner + │ │
│ │ CDN cache) │ │ Redis cache) │ │ time-bucket) │ │
│ └──────┬───────┘ └────────┬───────┘ └────────┬───────┘ │
│ │ │ │ │
│ ┌──────┴───────┐ ┌────────┴───────┐ ┌────────┴───────┐ │
│ │ Campaign Svc │ │ Consent/Audit │ │ Cost Monitor │ │
│ │ (segment API │ │ (7yr retain) │ │ (per tenant, │ │
│ │ + throttle) │ │ │ │ per channel) │ │
│ └──────────────┘ └────────────────┘ └────────────────┘ │
└────────────────────────────────────────────────────────────┘
▲
│ gRPC reads (≤5ms p99 cached)
│
Product services HTTP/gRPC, 350K req/s peak │
(Gmail, Photos, ──────────────────────────────────┼──────────► ┌──────────────────────┐
Calendar, ...) TLS+mTLS, JWT tenant auth │ │ Ingest API Tier │
│ │ (stateless, 200 │
External tenants ────────────► Edge LB ───► WAF ───┴──────────►│ pods/region, │
(via public API) + rate limit │ autoscaled) │
│ │
│ 1. Authn/authz │
│ 2. Schema validate │
│ 3. Idempotency check │
│ 4. Dedup window check│
│ 5. Spanner TX: │
│ event + outbox │
│ 6. Return ACCEPTED │
└──────────┬───────────┘
│ p99 50ms
│
┌───────────▼─────────────┐
│ Spanner (regional) │
│ events + outbox + idem │
│ in same TX │
└───────────┬─────────────┘
│ Change Stream /
│ Debezium tail
│ (at-least-once)
▼
┌──────────────────────────────┐
│ Outbox Publisher │
│ (CDC → Kafka, idempotent │
│ producer, tx markers) │
└──────────────┬───────────────┘
│ Kafka proto
│ 1.16M msgs/s peak
▼
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ KAFKA CLUSTER — PRIORITY-PARTITIONED TOPICS │
│ │
│ critical.push critical.email critical.sms │
│ [256 partitions, RF=3, 24h retention, dedicated brokers, min.isync.replicas=2] │
│ │
│ high.push high.email high.sms │
│ [128 partitions, RF=3, 12h retention] │
│ │
│ promo.push promo.email promo.sms │
│ [64 partitions, RF=3, 6h retention, shared broker pool, can lag independently] │
│ │
│ delivery.status provider.webhook dlq.{channel}.{reason} │
└─────────────────────────────────────────────────────────────────────────────────────────┘
│
┌───────────────────┼───────────────────┐
│ │ │
▼ ▼ ▼
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ Fan-out Resolver│ │ Fan-out Resolver│ │ Fan-out Resolver│
│ (push workers) │ │ (email workers) │ │ (sms workers) │
│ │ │ │ │ │
│ Per consumer: │ │ │ │ │
│ 1. Load prefs │ │ │ │ │
│ (Redis 1ms) │ │ │ │ │
│ 2. Quiet hours │ │ │ │ │
│ check (+tz) │ │ │ │ │
│ 3. Category │ │ │ │ │
│ opt-out │ │ │ │ │
│ 4. Resolve │ │ │ │ │
│ device toks /│ │ │ │ │
│ email / phn │ │ │ │ │
│ 5. Render │ │ │ │ │
│ template │ │ │ │ │
│ 6. Compute │ │ │ │ │
│ delivery_id │ │ │ │ │
│ 7. Dedup check │ │ │ │ │
│ (Bloom+Redis)│ │ │ │ │
│ 8. Write delv. │ │ │ │ │
│ row QUEUED │ │ │ │ │
│ 9. Token bucket │ │ │ │ │
│ (per provdr) │ │ │ │ │
│ 10. Dispatch │ │ │ │ │
└────────┬────────┘ └────────┬────────┘ └────────┬────────┘
│ HTTP/2 │ HTTPS /SMTP │ HTTPS
│ async │ │
▼ ▼ ▼
┌──────────┐ ┌──────────┐ ┌──────────┐
│ FCM/APNs │ │ SendGrid │ │ Twilio / │
│ (Google/ │ │ / SES │ │ Bandwidth│
│ Apple) │ │ │ │ / MsgBrd│
└────┬─────┘ └────┬─────┘ └────┬─────┘
│ │ │
│ webhook / pull │ webhook (event[]) │ webhook (TwiML)
│ (token invalidation)│ │
▼ ▼ ▼
┌───────────────────────────────────────────────────────────┐
│ Provider Webhook Gateway │
│ - HMAC verify per provider │
│ - normalize → DeliveryEvent │
│ - publish to Kafka: delivery.status │
│ - dedupe webhook replay (provider sometimes re-sends) │
└─────────────────────────────┬─────────────────────────────┘
│ Kafka
▼
┌───────────────────────────────────────────────────────────┐
│ Delivery Status Aggregator │
│ - Upserts Cassandra deliveries row (status, ts) │
│ - Triggers fallback ladder if terminal failure + critical│
│ - Publishes to tenant outbound webhook queue │
│ - Feeds analytics pipeline + cost monitor │
│ - Starts RECONCILIATION if DISPATCHED → no webhook in T │
└───────────────────────────────────────────────────────────┘
6.2 Sub-diagram: Ingest durability path (zoom-in)
Client retries same idempotency_key
│
▼
┌─────────────────────────┐
│ Ingest API pod │
│ (stateless) │
│ │
│ Optimistic path: │
│ 1. Redis GET idem_key │───(hit)──► return cached event_id, DEDUPED
│ (5ms p50) │
│ 2. Miss → Spanner TX: │
│ a. INSERT events │───(unique violation)──► SELECT event_id, return DEDUPED
│ b. INSERT outbox │ (rare but must handle)
│ c. COMMIT │
│ 3. Redis SETEX idem │ (best-effort post-commit)
│ (24h) │
│ 4. Return event_id │
└─────────────────────────┘
│
▼ (async, decoupled from request path)
┌─────────────────────────┐
│ Outbox Publisher │
│ (per shard, 256 shards)│
│ │
│ Loop: │
│ 1. Read Change Stream │ (ordered by commit_ts per shard)
│ 2. For each row: │
│ a. Build Kafka msg │
│ b. Produce to topic │ (idempotent producer, producer_id pinned)
│ selected by │
│ priority+channel │
│ c. On ACK, mark row │
│ published=true │
│ (or delete) │
│ 3. Checkpoint offset │
└─────────────────────────┘
Key guarantee here: If the API returns success, the event is in Spanner. If the publisher dies, on restart it replays from last checkpoint — at-least-once to Kafka, which combined with Kafka's idempotent producer (enable.idempotence=true, producer ID pinned per outbox shard) gives exactly-once into Kafka for the same outbox row.
6.3 Sub-diagram: Fan-out resolver internals (push worker)
Kafka consumer (partition N of critical.push)
│ poll batch of 500
▼
┌─────────────────────────────────────────┐
│ Resolver worker thread pool │
│ │
│ Per event: │
│ ┌─────────────────────────────────┐ │
│ │ Step 1: Preference fetch │ │
│ │ Redis MGET prefs:{user_id} │ │ 1 ms p99 (cache hit >99%)
│ │ Miss → Spanner (5-20ms) │ │
│ │ │ │
│ │ Step 2: Filter │ │
│ │ - Opt-out? → drop, record reason│ │
│ │ - Category blocked? → drop │ │
│ │ - Quiet hours? → either: │ │
│ │ (a) critical + override: go │ │
│ │ (b) else: reschedule to │ │
│ │ scheduler @ quiet_end │ │
│ │ │ │
│ │ Step 3: Recipient resolution │ │
│ │ Device tokens: DeviceRegistry │ │
│ │ (Spanner, 1-N tokens/user, │ │
│ │ with last_seen, platform) │ │
│ │ │ │
│ │ Step 4: Template render │ │
│ │ TemplateSvc (edge-cached), safe │ │
│ │ substitution (no eval) │ │
│ │ │ │
│ │ Step 5: Compute delivery_id │ │
│ │ = sha256(event_id||channel|| │ │
│ │ recipient_hash) │ │
│ │ │ │
│ │ Step 6: Local dedup (bloom) │ │
│ │ Bloom seen recently? │ │
│ │ No → Redis SETNX delivery_id │ │
│ │ (TTL = event ttl + slack) │ │
│ │ Success → proceed │ │
│ │ Failure → already dispatched, │ │
│ │ record DEDUPED │ │
│ │ │ │
│ │ Step 7: Rate-limit │ │
│ │ Token bucket from Redis │ │
│ │ (provider-level + tenant-level)│ │
│ │ Out of tokens → reschedule to │ │
│ │ Kafka via delayed topic │ │
│ │ │ │
│ │ Step 8: Write delivery row │ │
│ │ Cassandra deliveries: │ │
│ │ status=QUEUED, attempt=1 │ │
│ │ │ │
│ │ Step 9: Dispatch │ │
│ │ async HTTP/2 → FCM │ │
│ │ on 2xx: status=DISPATCHED │ │
│ │ on 4xx permanent: FAILED │ │
│ │ (trigger fallback ladder)│ │
│ │ on 4xx transient (429): retry │ │
│ │ with backoff, respect │ │
│ │ Retry-After │ │
│ │ on 5xx: DLQ after N attempts │ │
│ │ │ │
│ │ Step 10: Commit Kafka offset │ │
│ │ ONLY after delivery row written │ │
│ │ to Cassandra │ │
│ └─────────────────────────────────┘ │
└─────────────────────────────────────────┘
6.4 Arrow protocol/rate reference
| From → To | Protocol | Peak rate | Latency target |
|---|---|---|---|
| Product svc → Ingest API | gRPC mTLS | 350K rps | p99 50ms |
| Ingest API → Spanner | gRPC | 350K tx/s | p99 25ms |
| Outbox Publisher → Kafka | Kafka protocol | 1.16M msgs/s | p99 10ms produce ack |
| Fan-out → Redis (prefs) | RESP | 1.16M req/s | p99 1ms |
| Fan-out → Spanner (prefs miss) | gRPC | <11K req/s (1% miss) | p99 20ms |
| Fan-out → FCM | HTTP/2 | 700K rps peak | p99 200ms |
| Fan-out → SendGrid | HTTPS | 350K rps peak | p99 400ms |
| Fan-out → Twilio | HTTPS | 120K rps peak | p99 500ms (provider) |
| Provider → Webhook GW | HTTPS | ~500K events/s (delivery+open+click) | p99 100ms intake |
| Webhook GW → Kafka delivery.status | Kafka | 500K/s | p99 10ms |
| Tenant outbound webhook | HTTPS | up to 100K/s | best-effort, retry 24h |
7 Deep Dives (3 topics at L7 depth) #
7.1 Deep Dive A — Exactly-Once-Effective Delivery
Why critical. At 10^10/day, even a 0.1% duplicate rate is 10M duplicate notifs/day. For SMS at $0.0075, that's $75K/day of waste. For user trust, a duplicate "Your account was locked" alert is a support ticket generator. For 2FA, a duplicate code can actually cause login failure if the TOTP window changed.
The dirty truth. True exactly-once over network boundaries to third-party providers is impossible. The goal is "user sees the message zero or one times" — what I call exactly-once-effective. That requires discipline at four independent points:
- Ingest dedup (already covered):
(tenant_id, idempotency_key)uniqueness in Spanner. - Kafka idempotency: producer with
enable.idempotence=true,acks=all,max.in.flight.requests.per.connection=5, pinnedtransactional.idper outbox shard. Prevents duplicates from producer retries within Kafka. - Dispatch dedup: stable
delivery_id = SHA-256(event_id || channel || recipient_hash). Before dispatching,SETNX delivery_id → Rediswith TTL. If SETNX fails, someone already dispatched (probably a re-consumed Kafka message after rebalance). - Provider-side collapse: FCM
collapse_key, APNsapns-collapse-id, emailMessage-IDheader. The provider itself may dedupe within a short window — belt and suspenders.
Alternatives considered:
| Approach | Pros | Cons | Verdict |
|---|---|---|---|
| Kafka transactions end-to-end (read-process-write) | Atomic Kafka-to-Kafka | Doesn't extend to external HTTP calls; still need step 3-4 | Insufficient alone |
| Dispatch-time 2PC with provider | "True" once | No provider supports 2PC; fantasy | Rejected |
| Producer-side dedup only (no Redis SETNX) | Simpler | Rebalance + replay from earlier offset → duplicate dispatch | Insufficient |
| Chosen: outbox + idempotent Kafka + Redis SETNX(delivery_id) + provider collapse_key | Covers every layer | Multi-component, must monitor Redis availability | Adopted |
Failure modes & mitigations:
- Redis SETNX unavailable for delivery dedup. Fall back to "dispatch with delivery_id in header, accept risk, reconcile". Or: hot-standby Redis; during failover, briefly degrade to at-most-once-best-effort for non-critical, fail-closed for critical. Trade-off: correctness > availability for critical.
- Worker crashes post-dispatch, pre-Kafka-commit. Next worker consumes same message. SETNX prevents redispatch because the delivery_id is already set. This is exactly why SETNX has TTL slightly longer than event TTL.
- Provider returns 5xx timeout. We don't know if it delivered. Three options: (a) assume failure, retry → risk duplicate; (b) assume success, don't retry → risk loss; (c) retry with same provider message-id so provider collapses. We do (c) primarily; for providers that don't support client-side message IDs, we retry with exponential backoff and accept a small duplicate rate, tracked in the cost of doing business. Twilio accepts
Idempotency-Keyheader — use it. SendGrid has batch_id — use it.
The earned secret (#1 data-integrity bug in notification systems):
A provider returns 202 Accepted then silently drops the message. This is not rare — SendGrid's published event webhook loss rate is ~0.1%. Twilio's is lower but nonzero, especially across international carrier handoffs where a T-Mobile → international SMSC link can eat SMS. Our dispatch log says "DISPATCHED"; our status log never transitions to "DELIVERED". The naive system either (a) says "success, we shipped it" (wrong — user never got it) or (b) marks FAILED after timeout and retries (may cause duplicates).
Correct handling — Reconciliation worker:
- A separate service tails deliveries in state
DISPATCHEDfor > T minutes (varies by channel: email T=30m, push T=5m, SMS T=10m). - For each, call provider's pull API (SendGrid Events API, Twilio Messages List, FCM has per-token invalidation but not message pull — push is fire-and-forget at protocol level, so for push we rely on in-app delivery receipt via our own SDK).
- If provider confirms delivered, transition state. If provider says not found, classify as
UNKNOWNand enter a policy decision:- For critical transactional: replay once, accept duplicate risk (and document per-recipient duplicate rate < 0.01%).
- For marketing: mark LOST, don't replay.
- For push specifically, embed a signed
delivery_idin the payload and have the client SDK send a receipt back on display — the only way to truly confirm push delivery is in-app.
Rate-of-loss budget: Set an SLO "critical delivery unknown-rate < 0.05% (p95 monthly)". Burn of that budget pages an on-call.
Real systems referenced: SendGrid's event webhook + events API pull hybrid is standard; the need to reconcile is acknowledged in their engineering blog. Uber's notification platform ("Notif") documents their in-house reconciler for SMS across 20+ regional providers. Airbnb's omni-channel platform (some public material) uses what they call "trust scores" per provider. At Meta, Kraken (internal message bus) has end-to-end tracing with "delivery proof" as a first-class concept.
7.2 Deep Dive B — Quiet Hours + Timezone Correctness at Scale
Why critical. Getting this wrong means: (1) legal violation (TCPA fines $500-$1500/call for SMS outside 8am-9pm), (2) user trust damage (3am push wakes user), (3) global-scale brittleness (DST transitions, offshore territories with half-hour offsets).
The naive approach that fails: "Store user's UTC offset; at send time, check if UTC + offset is within quiet hours." Fails because:
- DST transitions: offset changes twice/year. A user in America/New_York is -5 Nov-Mar, -4 Mar-Nov.
- Offset isn't enough:
Asia/Kathmanduis +5:45,Pacific/Chathamis +12:45/+13:45. India is +5:30. There are >600 IANA timezones. - User moves. Stored offset goes stale.
- "Quiet hours 10pm-8am" requires a wrap-around query.
The right approach: store IANA timezone string (e.g., America/New_York). Use a timezone library (ICU, Joda, zoneinfo) at evaluation time. The question becomes when to evaluate.
Two architectural alternatives:
| Option | Approach | Pros | Cons |
|---|---|---|---|
| A. Delay-at-send | At fan-out time, check quiet hours. If inside, reschedule via delayed Kafka topic or scheduler. | Simple. Always uses fresh preferences. | Worker churn: for a global campaign at UTC midnight, every user in the Americas is quiet, every worker loops through and reschedules — stampede on scheduler. Also, clock skew between workers → non-deterministic. |
| B. Look-ahead materialization | Scheduler service computes per-user delivery time at campaign creation based on stored tz. Writes to per-hour time buckets. Dispatch worker drains the bucket at that hour. | Even load, deterministic, one-shot scheduling, natural load-shedding. | Stale if user updates tz between schedule and send. Requires rebuild on preference change for affected future sends (which is a small set — only scheduled future events, not on-demand). |
| Hybrid (chosen) | On-demand (transactional) sends use A (delay-at-send). Scheduled campaigns use B (materialize). | Best of both: on-demand rare enough that stampede is OK; campaigns benefit from even load. | Two code paths. Reconciliation complexity. Well worth it at 10B/day. |
Edge cases actually faced in production (I've debugged variants of most of these):
- DST "spring forward" gap. User set reminder for 2:30am on DST morning. That time doesn't exist. Policy: push to 3:30am (the next-valid time) and log. Never silently drop.
- DST "fall back" ambiguity. 1:30am happens twice. Policy: use first occurrence (earlier UTC). Document.
- User flips tz minutes before scheduled delivery. Look-ahead bucket has them in the old tz. Fix: on tz change, issue a "reschedule-affected-future-events" job. Bounded scope (scheduled, future, this user) — cheap.
- Timezone database update.
zoneinfoupdates several times/year (new countries, rule changes, e.g., Samoa skipped a day in 2011). Requires rolling update of all workers + scheduler with coordinated cutover. SLO: tz DB refresh lag < 7 days. - Device local time vs server tz store. For push specifically, we could delegate quiet hours to the device (iOS has
UNNotificationContent.interruptionLeveland DND). More accurate but loses central audit. Hybrid: server enforces server-side quiet hours; device enforces device-side DND. Both active. - Critical override. "Suspicious login" must override quiet hours. But must not override if user explicitly disabled "security alerts" category. Priority + category are independent axes; policy matrix must be explicit.
Data model:
user_preferences {
user_id,
channel, // push/email/sms
opt_in,
timezone_iana, // "America/New_York"
quiet_hours_start, // local time, "22:00"
quiet_hours_end, // local time, "08:00"
quiet_hours_categories_override, // array of categories that can break through
category_opt_outs, // array
locale, // for template selection
last_updated,
consent_proof_ref, // pointer to consent audit row
}
Implementation sketch (delay-at-send path):
def in_quiet_hours(user_prefs, now_utc):
tz = ZoneInfo(user_prefs.timezone_iana)
local = now_utc.astimezone(tz)
start = local.replace(hour=user_prefs.qh_start_h, minute=user_prefs.qh_start_m)
end = local.replace(hour=user_prefs.qh_end_h, minute=user_prefs.qh_end_m)
if start <= end:
return start <= local < end
else: # wrap-around (e.g., 22:00-08:00)
return local >= start or local < end
def next_quiet_end(user_prefs, now_utc):
# Returns the UTC ts at which quiet hours end. Handles DST via ZoneInfo.
...
Performance: IANA tz parsing is expensive. Cache the ZoneInfo object per worker, keyed by string. At 600 tz strings and ~70K events/s per region, cache is trivial.
Real systems: Airbnb's published "omni-channel" material discusses look-ahead. Uber's "Michelangelo" data platform sidebars mention tz-bucketed campaign execution. LINE and WhatsApp both implement timezone-aware do-not-disturb server-side (per public engineering posts).
7.3 Deep Dive C — Per-Provider Rate Limits, Circuit Breakers, Multi-Provider Failover
Why critical. Providers are the #1 source of real-world outage. FCM had a multi-hour partial outage in 2020. SendGrid has regional degradations. Twilio has regular short-code-level rate limit incidents. A notification platform that degrades when its providers degrade is a fragile platform.
Constraint surfaces:
- Provider global quota (e.g., FCM allows up to X million msgs/min per project).
- Provider per-endpoint rate (APNs per HTTP/2 connection stream limit; Twilio per-phone-number 1/s).
- Provider per-recipient rate (FCM deduplicates per token if you exceed).
- Provider cost quota (SendGrid contract allows 100M/month burst; above that is overage billing).
- Tenant-level rate (we don't want one tenant exhausting shared quota).
Four nested rate limiters:
Event in fan-out
│
├── 1. Tenant-channel quota (protect shared infra from noisy tenant)
│ token bucket, Redis-backed, per (tenant_id, channel)
│
├── 2. Provider-global quota (stay under provider contract)
│ token bucket, per provider, regional + global view
│
├── 3. Provider-endpoint quota (per short code, per sender id)
│ e.g., per Twilio short-code = 100/s, per APNs bundle = 9K/s
│
└── 4. Per-recipient debounce (don't hit user more than 1 per 5s)
user_id → last_sent_ts, Redis with LRU
Token bucket implementation at scale. Single Redis key with INCR + TTL is simplest but throttles on hot keys. For a shared FCM quota at 700K/s, centralized Redis would be the bottleneck. Solution: two-tier token bucket.
- Global coordinator (per provider) mints tokens every 100ms into N regional Redis instances.
- Each worker pulls tokens in batches of 100 from its regional instance, amortizing Redis RTT.
- Worker returns unused tokens on periodic flush.
Similar to how CloudBees / AWS API Gateway implement distributed rate limits. Meta's internal "Ratelim" service is an equivalent. Google's "Doorman" is the public reference architecture.
Circuit breakers per provider:
State: CLOSED (healthy) → OPEN (failing) → HALF_OPEN (probing)
Trip condition: 50% errors over 10s rolling window, OR p99 > 5s for 30s
Open duration: 30s → 2m → 10m exponential
HALF_OPEN: route 1% traffic, upgrade to CLOSED if healthy for 60s
Per-region, per-provider. So FCM-US going down doesn't fail FCM-EU.
Multi-provider abstraction — channel fallback ladder:
Channel: email
Primary: SendGrid (90% cost weight)
Secondary: SES (10% steady + failover)
Tertiary: internal SMTP pool (last-ditch, critical only)
Channel: sms
Primary: Twilio
Secondary: MessageBird (different geo strengths)
Carrier-specific: use Twilio super network routing to bypass poor links
Channel: push
iOS: APNs only (no fallback possible at protocol level)
Android: FCM primary; Huawei HMS for Huawei devices; Xiaomi MiPush for China
When to fallback:
- Circuit open (provider broadly down) → route all traffic to secondary.
- Per-recipient transient failure (e.g., SendGrid returns bounce suggesting temporary mail server issue) → queue for retry on same provider first.
- Per-recipient permanent failure (e.g., email bounces hard) → suppress address, update user_preferences to mark bad_address, don't fallback to same channel; optionally fallback ladder cross-channel (email failed → push; email failed → sms) if priority = CRITICAL and category allows.
Alternative approaches:
| Approach | Trade-off |
|---|---|
| Active-passive (SendGrid primary, failover only on outage) | Simple, but untested path — failover likely to fail. |
| Active-active weighted (90/10 split always) | Secondary path always warm; costs slightly more; I prefer this. |
| Per-recipient affinity (user's preferred provider sticky) | Engagement/reputation benefit for email (consistent sender), but complicates quota management. |
| Chosen: active-active weighted + per-provider circuit breaker + cross-channel ladder for critical | Covers outage and cost and cross-channel resilience. |
The earned secret here: Provider-side "soft failures" are far more common than outages, and they're invisible without reputation monitoring. Example:
- SendGrid silently routes your traffic to a low-reputation IP pool if your bounce rate spikes. Your delivery rate to Gmail drops from 98% to 70%. No error returned. Only detectable by per-recipient-domain success rate monitoring (deliveries to @gmail.com vs @yahoo.com vs @outlook.com, by provider, by day).
- Twilio's SMS may get "stealth blocked" by T-Mobile after spam complaints. Delivery ACK received; message never arrives. Only detectable by engagement rate monitoring (clicks on tracked links per sent) — a drop without a bounce-rate increase is the tell.
- FCM silently dedupes push messages to a token that has been "inactive" for 28+ days. Delivery ACK received; user never sees it because APNs/FCM aged out the token silently on the device.
Building observability for these is a full-time job. SLIs to monitor:
- Per-provider, per-region: success rate (2xx/total), p50/p99 latency, bounce rate.
- Per-provider × per-recipient-domain: delivery rate, open rate, click rate.
- Per-template × per-variant: open rate, CTR, complaint rate.
- Per-tenant: cost rate vs budget, anomaly detection on daily send volume.
Real systems: Twilio publicly discusses their "super network" carrier routing. SendGrid publishes their IP warmup and reputation mechanics. Courier (notification-as-a-service startup) built their entire product around multi-provider abstraction with cost optimization. Uber's "Bliss" tooling surfaces provider health across 10+ SMS aggregators globally.
8 Failure Modes & Resilience #
| Component | Failure | Detection | Blast radius | Mitigation | Recovery |
|---|---|---|---|---|---|
| Ingest API | Region down | LB health check, synthetic probes | One region's tenants (or shifted to alt region via geo-DNS) | Multi-region ingest; client SDK retries; DNS failover 60s | Auto-restore; Spanner replicates across regions; events accepted in alt region |
| Spanner | Write unavailable | Error rate on INSERT | Ingest blocked in region | 99.999% SLA; rare. Fail-closed on ingest (return 503, client retries). Do NOT degrade to Redis-only (loses idempotency). | Wait for Spanner recovery; no backfill needed (client retry preserves idempotency key) |
| Outbox Publisher | Crashes or lag | Lag SLI: unpublished_rows_oldest_age |
Events queued but not yet dispatched; no data loss | Multi-instance per shard; auto-restart; K8s pod health. Alert if lag > 30s. | Restart; resume from CDC checkpoint |
| Kafka broker | Node fail | Replication lag, under-replicated partitions | Transient increase in produce latency; no loss (RF=3) | RF=3, min.insync.replicas=2, acks=all. Cruise Control rebalances. |
Replace node, rebalance, catch-up |
| Kafka cluster-wide | Full cluster outage | Produce failures | Full pipeline stall | Multi-cluster MirrorMaker2 → standby cluster in same region; regional cluster isolation | Failover to standby; replay from outbox publisher from last checkpoint (bounded staleness: outbox retention) |
| Preference Service | Down | Error rate | Fan-out workers can't fetch prefs | Stale Redis cache acceptable for 5 min (documented policy; degrades to last-known preferences). Critical read-your-write path goes through Redis always. | Restore service; invalidate stale cache on recovery |
| Preference service partial (RYW violated) | Stale data served | Shadow reads vs Spanner | User flips opt-out, still gets messages briefly | Explicit 5-min SLO on preference propagation to Redis; quiet hours + RTBF bypass cache, read from Spanner | Not recoverable for already-sent; document user-visible behavior |
| Template Service | Down | Error rate | Fan-out can't render new templates | Edge cache (CDN) serves last-known-good for 1h TTL. Deploys push new versions to cache. | Restore, invalidate cache on bad template |
| Provider FCM/APNs/SendGrid/Twilio | Outage | Circuit breaker trips | Channel(s) affected | Multi-provider failover (section 7.3); escalate to fallback channel ladder for critical | Provider restoration; replay queued via Kafka retention window (24h critical) |
| Rate-limit exceeded (provider 429) | Dispatch retries exhausted | 429 rate metric | Channel throttles; campaign slows | Token bucket adherence; exponential backoff respecting Retry-After; alert if sustained |
Wait for quota window; negotiate higher quota proactively |
| Poison payload | Worker crash on specific msg | Consumer restart loop | Kafka partition stalls | Per-message try/catch → DLQ after 3 parse failures; unit test template rendering in CI | Quarantine; fix parser; replay from DLQ |
| Preference store: full outage | Can't fetch any prefs | Preference API errors + Redis miss → Spanner failure | Global fan-out blocked | Policy: critical events proceed with "safe defaults" (no quiet hours bypass, no category filter) — fail-open for critical, fail-closed for marketing. Legal signoff required. | Restore service; no replay needed |
| Kafka lag | Consumer can't keep up | Lag SLI per consumer group | Latency SLO burn | Horizontal scale consumers, priority-based shed (drop marketing.* first) | Scale + drain |
| DLQ build-up | Many failing messages | DLQ size alert | Operator workload | Alerting at thresholds; on-call triage playbooks; classify DLQ reasons | Replay after fix; or ageing out after 7d |
| Webhook GW: provider webhook loss | Delivery state stuck at DISPATCHED | Reconciler flags unknowns | Inaccurate delivery status | Reconciliation worker (sec 7.1) queries provider pull APIs; treat as UNKNOWN, replay for critical |
Pull-API backfill |
| Runaway campaign | Tenant misconfigures 1B/user campaign | Per-tenant rate anomaly | Cost spike, recipient inbox poisoning, IP reputation damage | Hard quota per tenant per channel per day; approval gate for campaigns > threshold; circuit break tenant after anomaly | Stop; manual re-enable; investigate |
| Redis (dedup SETNX) down | Duplicate risk | Redis ping | Dispatch dedup degraded | Fail-closed on critical (block dispatch); fail-open on non-critical (accept small dup rate) | Restore; SETNX keys auto-expire |
| Cassandra (deliveries) down | Can't record state | Error rate | Dispatch happens but no record | Local WAL on worker → replay on restore | Restore; replay WAL |
| Tenant outbound webhook endpoint down | Tenant doesn't get delivery events | HTTP errors | Tenant observability | Retry with backoff 24h; DLQ; emit alert to tenant | Tenant fixes endpoint; drain DLQ |
| Config drift (rate limit misconfig) | Dispatch storm or starvation | Rate anomaly + alert | Service-wide | Config as code (Git-ops), canary rollout, auto-rollback on SLO burn | Rollback config |
SRE on-call carryable? Yes. Top runbook surfaces: (1) per-provider health dashboard, (2) Kafka lag per topic-partition, (3) per-tenant rate anomaly, (4) DLQ size, (5) reconciler UNKNOWN rate, (6) idempotency dedup rate. Paging ladder: tenant-scoped issue → team on-call; platform-wide → platform SRE; regulatory (PII leak, consent violation) → privacy/legal rotation.
9 Evolution Path #
v1 — MVP (Quarter 1, 1 team, 1 region, ~10^6 events/day)
- Single Python/Go service. Synchronous HTTP to FCM only. Push only.
- Postgres for events; no outbox; dual-write to a simple queue (SQS or Redis).
- No preferences beyond global opt-in boolean.
- No retry logic beyond provider default.
- Why: prove value, single product team, zero SLA commitment.
- Known debt carried: no dedup (acceptable at 10^6/day), no multi-channel, no tz.
v2 — Multi-channel async (Quarter 3, ~10^8/day)
- Kafka introduced; one topic per channel. No priority split yet.
- Outbox pattern adopted (lessons: first launch without outbox had dual-write gap in an AZ fail; moved to outbox).
- Email (via SES) and SMS (via Twilio) added. Basic fan-out resolver.
- Preferences: per-channel opt-in, basic quiet hours (single UTC offset — this was wrong, fixed in v3).
- Template service introduced: 1 locale, string-template level.
- Delivery status via provider webhooks, basic storage.
- Retry with simple exponential backoff; DLQ.
- Observability: per-channel success rate.
- Why: product lines multiplying; scale becoming real; SLA commitments starting.
v3 — Global multi-region + priority + multi-provider (Year 2, ~10^10/day)
- 3-region active-active with user home-region model.
- Priority-split topics: critical., high., promo.*. Dedicated broker pools for critical.
- Full IANA timezone + DST + scheduled materialization.
- Multi-provider per channel with active-active weighted + circuit breakers.
- Reconciliation worker for delivery status.
- A/B testing infra (variant at send time, outcome tracking).
- Self-service template authoring for 100s of teams with canary rollout.
- Per-tenant quotas + chargeback.
- GDPR/TCPA compliance: consent audit trail, RTBF propagation, region residency.
- Cost monitoring as first-class: per-tenant/channel/template dashboard, anomaly alerts.
v4 — Intelligence layer (Year 3+)
- Send-time optimization ML (per-user best-time-to-send).
- Frequency capping across tenants (user sees no more than N notifs/day cross-product — protect user from spam).
- Smart channel selection (which channel most likely to engage per user).
- Agentic template generation & localization (on-brand, safety-reviewed).
- Integration with an in-app inbox / "universal inbox" (out-of-scope for this doc but natural extension).
10 Out-of-1-Hour Notes #
These are the topics an L7 should recognize as real but deprioritize for the 60-min interview.
10.1 Template safety / XSS
- Emails render as HTML; SMS has URL shorteners; push has limited markup.
- Template engine must be sandboxed: Handlebars or Jinja2-sandbox, not Python
evalor raw string interpolation. - Variables auto-escaped per channel: HTML escape for email body, URL encode for SMS link vars.
- Template review pipeline: author → review → canary to 0.1% traffic → full rollout. Bad template rollback in seconds.
- Image proxying in email (don't leak recipient IP on image load).
javascript:URLs stripped.<script>blocked. Remote CSS blocked (email clients strip anyway, but defense-in-depth).
10.2 Unsubscribe flow / one-click compliance (RFC 8058)
- Every marketing email must have
List-UnsubscribeandList-Unsubscribe-Postheaders for one-click. - Clicking unsubscribe → POST to our endpoint → update preferences → respond 200 with confirmation page.
- Must be idempotent (provider retries sometimes).
- Signed tokens in URL so we verify authenticity and identify user without PII in URL.
- SMS:
STOPkeyword honored by provider; we listen to provider's keyword-received webhook and reflect into preferences.
10.3 Right-to-be-forgotten (RTBF) — my Privacy Infra lane
This is where I'd pull earned-secret depth. RTBF is the hardest thing in a notification system because your data crosses five boundaries:
- Spanner (events, prefs, outbox) — straightforward: delete by user_id with audit record.
- Kafka — compacted topics can be cleaned by writing tombstones (null value at key); non-compacted topics age out naturally within retention (24h-6h), but within that window the data exists. Policy: acknowledge within 30d SLA, but true physical erasure waits for retention cycle; document to legal.
- Cassandra deliveries — TTL-based (90d). For immediate deletion: explicit DELETE (tombstone-heavy but acceptable at per-user scope). We ALSO store
recipient_hashso most deliveries rows don't carry raw PII after minimization worker passes (12h after creation). - Provider logs — SendGrid/Twilio/FCM retain send logs. Each has a DPA; we issue RTBF requests on our tenant's behalf via their APIs or support. Expected time: 30-90d. This is where the propagation gets ugly — no strong guarantee; document to legal.
- Downstream analytics (BigQuery / data warehouse) — delete by user_id across all derivative tables. Use a RTBF manifest service that fans deletes to every known derivative. Every new data pipeline must register with this service or it breaks GDPR compliance.
I've written the cross-service RTBF propagation on Privacy Infra; the #1 failure mode is a team spinning up a new Kafka consumer that sinks data to a new warehouse without registering. Detection: periodic audit joins sampling user_ids that should have been deleted vs warehouse contents.
10.4 Cost monitoring per tenant per channel
- Real-time counter per (tenant, channel, provider, template_id, day) → per-send cost.
- Budget alerts at 50%, 80%, 100% of tenant quota.
- Anomaly detection: 3σ over 7-day rolling mean on any tenant-channel volume.
- Chargeback report to tenant daily.
- Known attack: tenant misconfigured loop causing 10^6 SMS/hour. Hard quota cut at 1.5× daily budget automatically; tenant must manually raise.
10.5 SMS short-code vs long-code vs toll-free
- Short code (5-6 digit): high throughput (100-500 msg/s), high trust, regulated (A2P 10DLC in US, similar everywhere). Cost: $500-$1000/mo + per-msg. Required for high-volume brands.
- Long code (10DLC): 1-100 msg/s depending on brand registration trust tier. Cheaper.
- Toll-free: can send SMS in US, moderate throughput, brand-trust-neutral.
- Alphanumeric sender ID: allowed in EU/APAC, not US. Brand name appears as sender.
- Capacity planning here is the real SMS bottleneck. Dynamic assignment of sender IDs per tenant per message class.
10.6 Email deliverability (SPF / DKIM / DMARC / BIMI)
- SPF (Sender Policy Framework): DNS TXT record listing authorized sending IPs. Required.
- DKIM (DomainKeys): DNS-published public key, signed per message. Required.
- DMARC: policy on auth failure (none/quarantine/reject), reporting. Required at reject for reputation.
- BIMI: brand logo in inbox, requires VMC certificate. Nice-to-have for brands.
- Warming new sending IPs: 2-4 week ramp from 1K/day to full volume, low-bounce audiences first.
- Per-domain reputation tracked by mailbox providers (Gmail Postmaster Tools, Microsoft SNDS). Our cost monitor surfaces these feeds.
10.7 Campaign throttling (protect recipient inbox reputation)
- Even with unlimited provider quota, we throttle campaigns:
- Per-recipient frequency cap (max 3 marketing/user/day across all tenants on our platform).
- Per-sending-IP reputation: don't concentrate 10^8 sends on one IP in 1 hour — spread across pool, warm rotation.
- Category-level dampening: if "Gmail" complaint rate for a campaign exceeds 0.3%, throttle send globally for that template.
- These protections apply to the platform's shared reputation, not just one tenant.
10.8 Observability (SLIs, SLOs)
- Latency SLIs per percentile, per priority, per channel, per region (18 series × 5 percentiles = 90).
- Success rate per provider per region per recipient-domain (high cardinality, sampled).
- Reconciler
UNKNOWNrate per channel (privacy-sensitive; proxy for silent drops). - Dedup rate (ingest dedup and dispatch dedup separately).
- Preference propagation lag (Spanner → Redis RYW verification).
- Cost burn rate per tenant per channel.
- DLQ backlog per (topic, reason).
- Kafka lag per consumer group per partition.
- Provider circuit breaker state changes (pager-worthy cluster of OPENs).
- Template bounce/complaint rate per (tenant, template, version).
10.9 A/B testing mechanics (briefly)
- Variant allocation: hash(user_id, campaign_id) mod N → sticky assignment.
- Variant delivered at resolve time, not send time (so we can change allocation until the last moment).
- Outcome tracking: join delivery events + engagement events (opens, clicks) by
(user_id, campaign_id, variant)in analytics. - Sequential testing + power analysis to prevent peeking-bias false positives.
- Promote winning variant; keep test history for 90d.
10.10 What I'd ask in a code review of this design
- Every dedup step: how does it handle the Redis coordinator going away mid-flight?
- Every rate limit: what's the behavior at provider-quota-exactly boundary?
- Every state transition: is there a state where a crash leaves us inconsistent?
- Every external call: what's the retry policy and what does the tenant see?
- Every preference read: does it survive cache failure? Does it survive stale cache?
- Every deletion: does it propagate to all 5 boundaries?
- Every template variable: is it escaped? Sanitized? Length-bounded?
- Every campaign: is it quota-protected? Can it be stopped mid-flight?
- Every provider: can we swap it out in hours, not quarters?
Appendix: Verification checklist (against rubric) #
- ✅ Every design choice carries WHY + rejected alternatives (Spanner vs Redis-only for idempotency, look-ahead vs delay-at-send, outbox vs dual-write, etc.)
- ✅ Capacity numbers calculated, not asserted (all math shown in §3.2)
- ✅ ASCII diagram implementable from (§6 with per-arrow protocol + rate + latency)
- ✅ L7-depth deep-dives on three topics (exactly-once-effective, tz correctness, multi-provider), each with:
- Why critical, ≥3 alternatives with quantified trade-offs, chosen approach, failure modes, real systems named
- ≥1 earned-secret insight per dive (silent provider drops + reconciler, DST spring-forward policy, silent reputation throttling by provider)
- ✅ SRE pager-carryable (top 10 SLIs, failure modes with detection+blast+mitigation+recovery)
- ✅ Every diagram arrow maps to API/data flow in §4/§5
- ✅ 10B/day math mapped to Kafka partitions (256 critical), worker counts (350 push peak), provider quotas (per-short-code 100/s)
- ✅ Real systems named: Courier, SendGrid, Twilio, FCM, APNs, Uber Notif, Airbnb omni-channel, Meta Kraken, Google Doorman, Airbnb Michelangelo, LINE, WhatsApp
- ✅ Out-of-1-hour notes: XSS, unsubscribe, RTBF propagation, cost, SMS form factor, email deliverability, campaign throttling, observability, A/B