A dead-letter path is introduced: messages that hit the retry limit are moved to a DeadLetterMessages table with metadata (order ID, event type, payload, original timestamp, failure reason, retry count), and a GET /api/deadletters endpoint is provided for operators to inspect and act on them.

The author refines a .NET event-driven order pipeline after feedback from the CTO, addressing three critical gaps: lack of protection against horizontal scaling, no backoff for Kafka outages, and no dead-letter mechanism for failing messages.

To enable safe parallelism, the updated design uses a SQL query with FOR UPDATE SKIP LOCKED so only one poller instance processes a given outbox message at a time.

Kafka outages are mitigated with exponential backoff: on publish failures the system increases retry delays up to a maximum, resets to base delay after success, and distinguishes Kafka failures from bad payloads to avoid delays caused by deserialization errors.

With these changes, the outbox processor now handles four scenarios—successful processing, Kafka outages with backoff, multi-instance safety via row-level locking, and persistent failures via dead-lettering—creating a production-ready pipeline.

The author credits the CTO’s feedback for surfacing production-facing issues and underscores the value of peer code reviews in building robust event-driven systems, with the source code available at github.com/aftabkh4n/order-pipeline.