Herald: Newsletter Infrastructure You Actually Own

We used Buttondown for our newsletters for a while. It worked fine until it did not. The moment we needed multi-tenant isolation for separate publications, automation sequences for onboarding flows, and an API that our AI assistants could drive directly, we hit the ceiling of what any third-party newsletter service was willing to offer. So we built Herald.

Herald is a multi-tenant newsletter and subscriber management platform that handles everything from signup forms to email delivery. It runs the same stack as the rest of our tools: FastAPI on the backend, React on the frontend, PostgreSQL for persistence, and Valkey for caching. Email goes out through SendGrid. The entire system exposes 49 MCP tools, so managing subscribers, composing emails, and querying analytics can all happen from an AI assistant without touching the dashboard.

Multi-Tenancy from Day One

Herald was designed for multiple independent newsletters from the start. Each tenant gets isolated subscriber lists, templates, API keys, and analytics. There is zero cross-contamination between publications. One instance of Herald runs all of Renkara's newsletters, but each publication operates as if it had its own dedicated platform.

Per-newsletter API keys are hashed with SHA-256 and stored securely. Keys can be created, rotated, and revoked independently per tenant. CORS origins are configurable per newsletter, so signup forms can be embedded on any website with properly scoped headers. No wildcard origins, no security shortcuts.

Key Features

Double Opt-In with Cryptographic Confirmation

Every new subscriber goes through a compliant double opt-in flow. Confirmation tokens are 64 characters of cryptographically random data. Confirmation emails are customizable per newsletter. This is not just a best practice; it is a legal requirement in many jurisdictions, and Herald handles it correctly by default rather than as an afterthought.

Subscriber Segmentation

Dynamic rule-based segmentation evaluates in real time. Target subscribers by engagement level, tags, subscription date, custom attributes, or any combination. Segments update automatically as data changes. A flexible tagging system lets you create segments on the fly by combining tags with boolean logic. Tags can be applied manually, via automation rules, or through the API.

Automation Sequences

Welcome series, drip campaigns, and re-engagement flows all run as automation sequences. Define triggers, delays, and conditions. Set it up once and new subscribers automatically receive the right messages at the right time. This is the feature that Buttondown never offered and that pushed us to build our own platform.

Markdown Composition and MJML Rendering

Write emails in Markdown with a live HTML preview. No drag-and-drop template builders, no WYSIWYG editors that produce garbage HTML. The frontend uses a Tiptap rich text editor with Markdown shortcuts for people who prefer formatting through keyboard shortcuts. Under the hood, Markdown converts to email-safe HTML through MJML via an emailmd Node.js sidecar process. The result renders correctly in Gmail, Outlook, Apple Mail, and every other major client, responsive on every screen size.

Privacy-First Architecture

Open and click tracking are disabled by default on every newsletter. You enable tracking only when you explicitly choose to. Subscriber privacy is the default, not an afterthought. Honeypot fields on signup forms catch bots without annoying real users with CAPTCHAs. One-click unsubscribe follows RFC 8058, working correctly in Gmail, Apple Mail, Outlook, and every compliant client.

Integration Points

Authentication flows through the shared auth-service using RS256 JWTs with audience verification scoped to herald. An AWS Lambda function handles signup form processing for static sites and landing pages. Outbound webhooks fire on subscription events, email sends, opens, and clicks, integrating with CRMs, analytics, or any system that accepts HTTP callbacks. SendGrid webhook verification uses HMAC-SHA256 with timing-safe comparison for bounce, spam complaint, and delivery event processing.

The MCP server covers all 49 admin endpoints. Manage subscribers, compose emails, trigger automations, query analytics, and configure newsletters directly from an AI assistant. This is how we actually run our newsletters day to day: the AI handles the routine operations, and we focus on the content.

Why Not Buttondown, Mailchimp, or ConvertKit?

Newsletter SaaS platforms charge per subscriber. As your list grows, so does your bill, regardless of how many emails you actually send. They also own the relationship with your subscribers. Your data lives on their servers, your deliverability depends on their shared IP reputation, and your feature roadmap is whatever they decide to prioritize.

Herald costs us a SendGrid sending plan and our existing infrastructure. We own every subscriber record, every engagement metric, and every template. When we needed automation sequences, we built them in a day. When we wanted per-newsletter CORS configuration for embedding signup forms across different domains, it took an afternoon. The total cost of ownership is a fraction of what we were paying Buttondown, and we got multi-tenancy, automation, and MCP integration that no newsletter SaaS on the market provides.

Specs