A practical lesson on delivery semantics, duplicate risk, and why effectively-once behavior is usually an application design goal rather than a broker promise.
At-most-once, at-least-once, and effectively-once are not interchangeable labels. They describe very different trade-offs about loss, duplication, and where the burden of correctness sits. Many teams learn the names early, then still make poor reliability decisions because they treat delivery semantics as the whole system contract instead of only one layer in it.
The first distinction to keep clear is transport versus business effect. A broker can decide whether it redelivers a message after timeout or consumer failure. That says something about transport behavior. It does not automatically say whether an invoice is written twice, whether a user gets two emails, or whether a payment gateway sees duplicate requests. Those outcomes depend on application logic, idempotency, and how side effects are committed.
sequenceDiagram
participant B as Broker
participant C as Consumer
participant D as Database
participant E as External Email API
B-->>C: Deliver event
C->>D: Write business state
C->>E: Send email
Note over C,B: Crash before acknowledge
B-->>C: Redeliver event
What to notice:
At-most-once favors avoiding duplicate delivery even if that means some events may be lost. This model is acceptable only when loss is cheaper than duplication, or where another mechanism can recover the missed work later. Some telemetry, transient notifications, and low-value background signals may fit this trade-off.
It is a weak fit for business-critical state changes. If an order-confirmation event disappears and nothing later reconstructs it, the system has chosen silent loss as an acceptable outcome. That is usually not what the business actually wants.
At-least-once favors eventual handling, accepting that duplicates may occur. This is why it is common in practical event systems. Under network uncertainty or consumer failure, retrying is usually safer than silently dropping work. But the price is explicit duplicate tolerance.
Teams often speak as if at-least-once is a transport inconvenience. It is more than that. It shapes consumer design, storage strategy, and external side-effect controls. If the consumer writes to a database, calls a third-party API, and updates a cache, each of those effects must be examined under redelivery.
Effectively-once is the business outcome most teams actually want. The system may deliver an event more than once internally, but the observed business effect becomes safe and non-duplicated because the application handles retries correctly. The transport is still imperfect. The system behavior is what becomes reliable.
This is why “exactly once” claims should be treated carefully. A platform may offer strong guarantees inside a stream-processing boundary, yet the end-to-end system still contains databases, HTTP calls, email providers, payment processors, and humans. If those downstream effects are not guarded, exactly-once language becomes misleading at the architecture level.
Effective-once behavior usually depends on a combination of:
1type EventEnvelope = {
2 eventId: string;
3 eventName: string;
4 data: { invoiceId: string; customerId: string; amount: number };
5};
6
7async function handleInvoiceCreated(event: EventEnvelope) {
8 const alreadyHandled = await processedEventStore.has(
9 "invoice-email-consumer",
10 event.eventId,
11 );
12
13 if (alreadyHandled) return;
14
15 await invoiceRepository.markNotificationQueued(event.data.invoiceId);
16 await emailGateway.sendInvoiceReadyEmail(event.data.customerId);
17 await processedEventStore.record("invoice-email-consumer", event.eventId);
18}
This example is intentionally small, but the idea is important: the consumer uses the event identifier as part of its business-safety boundary. The duplicate delivery may still happen. The duplicate effect should not.
Several common mistakes appear repeatedly:
The most useful mindset is this: delivery semantics tell you what kind of uncertainty to expect. Your application design determines whether that uncertainty becomes a real business problem.
A team says they chose a platform with exactly-once delivery, so their consumer no longer needs idempotency when it updates a database row and triggers a billing email. What is the stronger challenge?
The stronger challenge is that end-to-end business effects extend beyond broker internals. Even if the platform coordinates offsets or transactional writes inside its own boundary, the database update and email send still need a retry-safe design. Without application-level duplicate protection, “exactly once” at transport level can still become duplicate business behavior.