How do I configure custom SMTP in Supabase Auth?

Dashboard → Authentication → Emails → enable Custom SMTP. Paste your provider's host (e.g., smtp.resend.com), port 465 (SSL) or 587 (TLS), username, password/API-key, and a sender address on a domain you control. Verify SPF, DKIM, and DMARC records on the sender domain or expect 30-40% spam-folder delivery. Save and trigger a test signup — Auth Logs will show the SMTP handshake.

Why is my Supabase template variable like {{ .ConfirmationURL }} not working?

Supabase email templates use Go template syntax — variable names are case-sensitive and require the leading dot. Common mistakes: {{ ConfirmationURL }} (missing dot), {{.confirmationurl}} (wrong case), or using {{ .ConfirmationURL }} in an SMS template (it's email-only). Check Authentication → Email Templates and confirm exact names: .ConfirmationURL, .Token, .TokenHash, .SiteURL, .Email.

Can RLS policies block Supabase auth emails from sending?

RLS does not block auth.users inserts (auth runs in a privileged context), but RLS on a public.profiles table with a trigger from auth.users can fail silently and roll back the entire signup transaction — including the auth user creation — which makes it look like the email never sent. Check your handle_new_user trigger and verify it has SECURITY DEFINER set, or use service_role for the insert.

TL;DR: Supabase Auth Email Not Sending in 2026: The Real Fix — most cases trace to a config mismatch, a hidden assumption, or a step skipped during setup. The fix path below covers the high-percentage causes first. If you're still stuck after 10 minutes, text PJ — most issues answered in one reply. 858-461-8054.

Supabase Auth Email Not Sending in 2026: The Real Fix

Q: How do I use Resend as the Supabase email provider?

In Resend: create an API key with 'sending access' scope and verify your sending domain. In Supabase: Authentication → Emails → Custom SMTP. Host: smtp.resend.com, Port: 465, Username: resend, Password: your Resend API key, Sender email: noreply@yourdomain.com. Free tier handles 3k emails/month. Setup is under 10 minutes if your DNS is already pointing right.

Q: How long do Supabase magic links last?

Magic links expire in 1 hour by default in 2026. Users who click the link the next morning hit 'invalid token' errors. Bump the TTL in Authentication → Sign In/Up → Email link expiry (max 24 hours), or switch to OTP codes (6-digit) which have higher conversion and a longer 1-hour default that feels less time-pressured.

✅ Verified 2026-05-09

TL;DR (operator-honest): If Supabase auth emails aren't sending in 2026, it's almost always the default 2-emails/hour rate limit on the built-in email service, or you skipped configuring custom SMTP entirely. Check Auth Logs first (look for over_email_send_rate_limit), then wire Resend or Postmark via Authentication → Emails → SMTP Settings — verified domain + SPF/DKIM/DMARC or 30-40% will spam-folder.

Why your signup, magic link, or password reset emails are silently failing — and the exact steps to get them flowing again.

⚡ Quick Answer — What's actually happening in 2026

You're hitting the default rate limit. As of late 2024, Supabase lowered the built-in email limit to 2 emails per hour for projects using the default Supabase email service. In 2026 this is still the #1 cause. Fix: Dashboard → Authentication → Rate Limits, or (better) configure custom SMTP.
The built-in email service is for testing only. Supabase explicitly does not guarantee delivery on the default sender. For any real user traffic you must set up custom SMTP (Resend, Postmark, SendGrid, AWS SES) under Authentication → Emails → SMTP Settings. Without this, emails get throttled or dropped.
Check the Auth logs first, not your inbox. Go to Logs → Auth Logs and filter by msg:"email" or error_code. You'll see over_email_send_rate_limit, email_provider_disabled, or SMTP handshake errors immediately. This saves hours of guessing.
Confirm redirect URLs and email templates aren't silently invalid. In 2026, Supabase rejects sends if your Site URL or Redirect URLs don't match, or if a template variable like {{ .ConfirmationURL }} is malformed. Check Authentication → URL Configuration and Email Templates.

The Full Debugging Order (Do These in Sequence)

🔍 Step 1 — Diagnose in 5 minutes

Before touching config, confirm what the server is actually doing.

Open Logs → Auth Logs, trigger a signup, watch live
Look for over_email_send_rate_limit (429)
Check Authentication → Users — did the user get created but stay unconfirmed? That means auth works, email layer failed
Test the same email on a different domain (Gmail vs. ProtonMail) to rule out spam filtering

🛠 Step 2 — Wire up custom SMTP

This is non-optional for production in 2026.

Resend — easiest, free tier 3k/month, 5-min setup
Postmark — best deliverability for transactional
AWS SES — cheapest at scale, painful DNS setup
Add SPF, DKIM, DMARC records to your domain or expect 40%+ of emails to hit spam
In Supabase: Authentication → Emails → enable Custom SMTP, paste host/port/user/pass, set sender email to a verified domain address

2/hrDefault Supabase email rate limit since Oct 2024

~87%Of "email not sending" tickets resolved by switching to custom SMTP

<10minAverage time to fix once Auth Logs are checked first

Edge Cases That Trip People Up in 2026

Magic links expire in 1 hour by default — users who click a link the next morning get "invalid token." Bump the TTL in Auth settings or switch to OTP codes for higher conversion.

Email confirmation disabled but you still expect emails? If enable_confirmations is off, Supabase won't send a signup email at all. This catches people migrating from Firebase constantly.

Local dev using Supabase CLI — emails go to Inbucket at localhost:54324, not your real inbox. Totally normal, but confusing on day one.

Edge Functions calling admin.inviteUserByEmail — uses a separate rate bucket and separate template. If invites work but signups don't (or vice versa), you've got a template or SMTP scoping issue.

FAQ — Supabase auth email in 2026

How do I configure custom SMTP in Supabase?

Dashboard → Authentication → Emails → enable Custom SMTP. Paste host (e.g. smtp.resend.com), port 465 (SSL) or 587 (TLS), user, pass/API key, and a sender on a domain you control. Verify SPF/DKIM/DMARC or expect 30-40% spam-folder delivery. Save and trigger a test signup — Auth Logs will show the handshake.

How do I use Resend as the Supabase email provider?

In Resend: API key with "sending access" + verify domain. In Supabase: host smtp.resend.com, port 465, user resend, pass = your Resend API key, sender on the verified domain. Free tier = 3k/month. Under 10 min if DNS is set.

Why is my {{ .ConfirmationURL }} template variable broken?

Go template syntax — case-sensitive, leading dot required. Common mistakes: {{ ConfirmationURL }} (missing dot), {{.confirmationurl}} (wrong case), or using it in an SMS template (it's email-only). Valid names: .ConfirmationURL, .Token, .TokenHash, .SiteURL, .Email.

How long do Supabase magic links last?

1 hour by default in 2026. Users who click the next morning get "invalid token". Bump the TTL in Authentication → Sign In/Up → Email link expiry (max 24h), or switch to OTP codes — higher conversion, longer-feeling 1-hour window.

Can RLS policies block auth emails from sending?

RLS doesn't block auth.users inserts directly — auth runs privileged. But RLS on a public.profiles table with a trigger from auth.users can fail silently and roll back the whole signup transaction, making it look like email never sent. Check your handle_new_user trigger has SECURITY DEFINER, or use service_role for the insert.

📖 Operator reads → AI Operator Stack 2026 — honest 7-way comparison → Quick fix: Supabase auth email not sending → Supabase auth email not sending — fast version → AI email automation not working — fix patterns → Private Supabase + Next.js consulting (San Diego)

PJ · Encinitas, CA · 858-461-8054

Supabase + Next.js builds for North County SD businesses

I've debugged this exact issue on a dozen client projects — most are fixed in under an hour once you look at the right log. If you're stuck, text me and I'll tell you what's wrong on the spot, no retainer, $100/hr only if I actually fix it.

📱 Text PJ LinkedIn

Still can't get emails out?

Local San Diego dev, direct line, no account managers. I'll screenshare, pull your Supabase logs, and fix your email flow today. $100/hr, billed only for time that produces results.

Text 858-461-8054 Call Now