How to Use SMTP for Sending Statements and Balance Alerts

Sending sensitive financial data like account statements, balance alerts, and transaction summaries over email requires both efficiency and a strong commitment to privacy and security. SMTP (Simple Mail Transfer Protocol) remains one of the most reliable methods for delivering these updates, but it must be configured properly to meet security and compliance standards.

In Nigeria’s growing fintech space, real-time email notifications are essential—especially for balance alerts, transaction statements, and compliance reports. SMTP (Simple Mail Transfer Protocol) remains a trusted method for sending these notifications at scale, but using it securely is critical when dealing with financial data.

This guide explores how to use SMTP securely in a fintech environment, with real-life examples from Nigerian fintechs like Carbon, Moniepoint, FairMoney, and VBank. We’ll also include tips and tools from Yournotify to improve email delivery and compliance.

Why SMTP Matters for Fintechs

Email is still one of the most cost-effective and direct channels for user communication. For financial platforms, SMTP allows:

• Low-latency delivery of alerts and statements
• Full control over templates and timing
• Integration with backend systems and databases

Unlike SMS or push notifications, emails are archivable, searchable, and often used for legal or audit trails.

1. Choose a Secure SMTP Provider or Host Your Own

Nigerian fintechs often face local compliance and delivery constraints. There are two main options:

a. Third-party SMTP Providers

Fintechs like VBank or FairMoney use services like Amazon SES, Mailgun, or Yournotify SMTP to send statements and password-protected documents.

Look for:

• TLS encryption
• DKIM and SPF support
• IP reputation tracking
• Rate control

b. Self-hosting

Some high-compliance platforms (e.g., banks or pension managers) opt to self-host SMTP using Postfix or Node.js smtp-server, allowing fine-grained access control.

2. Enforce TLS and SMTPS Connections

Without TLS, your messages can be intercepted. Always enforce:

• STARTTLS (Port 587)
• SMTPS (Port 465)

Example: FairMoney uses TLS and domain authentication to protect sensitive data in balance alerts and loan approval emails.

Sample secure config:

"port": 465,
"secure": true,
"auth": {
  "user": "alerts@yourdomain.com",
  "pass": "secure_token"
}

3. Implement SPF, DKIM, and DMARC

To prevent fraud or phishing, configure:

• SPF: Authorizes IPs for your domain
• DKIM: Cryptographically signs your messages
• DMARC: Tells ISPs how to handle spoofing

Example SPF Record:

v=spf1 include:yournotify.com -all

Reference: How to Set Up Email Authentication with Yournotify

4. Use Per-App SMTP Credentials

Avoid using a single password for all services.

• Generate separate credentials per app
• Restrict access by IP or region
• Rotate credentials quarterly

Moniepoint, which operates in a high-risk category, enforces tight credentialing across its email systems to reduce internal misuse.

5. Send Secure Attachments or Statements

Never attach unencrypted PDFs.

Options include:

• Encrypt PDFs with a password (sent via SMS or app)
• Send a secure link to download (e.g., time-limited tokenized URLs)

Example: Carbon sends monthly statements with a download link that expires in 24 hours for extra security.

Guide: Send Secure PDFs Using Yournotify SMTP

6. Personalize the Content With User Data

Make messages meaningful:

Dear Aisha,

Your wallet balance as of 16 May 2025 is ₦7,850.00. 
You made 3 transactions today totaling ₦12,000.00.

Pull data from:

• User tables (PostgreSQL, MySQL)
• CDP tools like Yournotify Profiles

Fintechs like Kuda and Paga personalize subject lines and messages based on user transaction history and spending patterns.

7. Track Deliverability and Feedback

Use webhooks and logs to track:

• Bounces
• Spam complaints
• Open/click rates

Example: VFD Microfinance Bank monitors SMTP delivery metrics daily to ensure alerts aren’t lost or marked as spam.

With Yournotify, you can:

• View delivery status per message
• Monitor domain health
• Integrate with your backend via webhook

Reference: Yournotify’s Deliverability Dashboard

8. Monitor Abuse and Throttling

Avoid getting blacklisted:

• Set daily/hourly rate limits
• Monitor spikes in volume
• Segment transactional vs marketing messages

In high-volume cases, such as PalmPay’s loan disbursement emails, messages are throttled and scheduled over several minutes to ensure inbox placement.

9. Log All Activity for Compliance

Keep audit logs of:

• Sender IPs
• Timestamps
• Recipient email
• Status (sent, bounced, failed)
• Delivery metadata

This is useful during:

• Security incidents
• Regulatory audits
• Dispute resolutions

Yournotify’s SMTP logs can be exported or queried via API for your compliance team.

10. Align with Nigerian Data Protection Regulation (NDPR)

When handling financial data over email:

• Avoid including full account numbers
• Never expose passwords or OTPs in emails
• Use masked identifiers (e.g., “Account ***9081”)

Make sure you:

• Store minimal data in email body
• Use opt-in checkboxes before enabling alerts
• Allow users to unsubscribe or manage preferences

References:

• NDPR Regulation – NITDA
• GDPR vs NDPR Explained for Fintechs

Developer Code Examples for SMTP Email in Fintech Apps

Node.js (with Nodemailer)

const nodemailer = require("nodemailer");

const transporter = nodemailer.createTransport({
  host: "smtp.yournotify.com",
  port: 465,
  secure: true,
  auth: {
    user: "alerts@yourdomain.com",
    pass: "smtp-password"
  }
});

transporter.sendMail({
  from: '"Yournotify Alerts" <alerts@yourdomain.com>',
  to: "customer@example.com",
  subject: "Your Wallet Balance",
  text: "Your balance is ₦7,850.00 as of today."
});

Python (with smtplib)

import smtplib
from email.mime.text import MIMEText

msg = MIMEText("Your balance is ₦7,850.00 as of today.")
msg['Subject'] = "Your Wallet Balance"
msg['From'] = "alerts@yourdomain.com"
msg['To'] = "customer@example.com"

with smtplib.SMTP_SSL('smtp.yournotify.com', 465) as server:
    server.login('alerts@yourdomain.com', 'smtp-password')
    server.send_message(msg)

PHP (with PHPMailer)

use PHPMailer\PHPMailer\PHPMailer;

$mail = new PHPMailer(true);
$mail->isSMTP();
$mail->Host = 'smtp.yournotify.com';
$mail->SMTPAuth = true;
$mail->Username = 'alerts@yourdomain.com';
$mail->Password = 'smtp-password';
$mail->SMTPSecure = 'ssl';
$mail->Port = 465;

$mail->setFrom('alerts@yourdomain.com', 'Yournotify Alerts');
$mail->addAddress('customer@example.com');
$mail->Subject = 'Your Wallet Balance';
$mail->Body    = 'Your balance is ₦7,850.00 as of today.';

$mail->send();

 

Final Thoughts

SMTP remains one of the most reliable channels for sending financial alerts and statements. But its power comes with responsibility. By following security best practices—like TLS enforcement, authentication, content protection, and logging—you can build a robust, compliant messaging system that keeps customers informed without compromising their privacy.

For fintechs, banks, and digital lenders in Africa, using local infrastructure like Yournotify SMTP allows you to stay compliant with local regulations while delivering fast, secure alerts your customers can trust.