ERR-421/Supabase · Resend · DNS

ERR-421

Password reset email not sending

appears when:user clicks 'Forgot password' in production — request returns 200, inbox stays empty.

Password reset email not sending

Everything works locally; in production the email never arrives. Three layers typically fail: Supabase's shared SMTP has already burned its hourly quota, DNS lacks SPF/DKIM/DMARC, or the sender domain is unverified with your SMTP provider.

Last updated 17 April 2026 · 6 min read · By Hyder Shah

Emergency triage — $299 Free diagnostic

Direct answer

Password reset emails fail in production because Supabase's default shared SMTP is rate-limited to ~3 per hour, and even with your own SMTP provider the message is quietly filtered when SPF, DKIM, or DMARC fail. Wire Resend or Postmark in Supabase Authentication → Email → SMTP Settings, add the SPF TXT, DKIM CNAME, and DMARC TXT records from your provider, and send a test. Fifteen minutes for SMTP plus up to 24 hours for DNS to propagate.

Quick fix for password reset email not sending

email-delivery-setup.txt

text

01// 1. Supabase Dashboard → Authentication → Email → SMTP Settings02Host:      smtp.resend.com03Port:      465              // or 587 for STARTTLS04Username:  resend05Password:  <RESEND_API_KEY>06Sender:    noreply@yourapp.com   // must be on a verified domain07Interval:  1 second between emails08 09// 2. DNS provider (Cloudflare / Route53 / Vercel DNS)10// Copy exact values from Resend dashboard — these are examples.11yourapp.com                       TXT    "v=spf1 include:amazonses.com ~all"12resend._domainkey.yourapp.com     CNAME  resend._domainkey.resend.com13_dmarc.yourapp.com                TXT    "v=DMARC1; p=none; rua=mailto:dmarc@yourapp.com"14 15// 3. Supabase → Authentication → Email Templates → Reset Password16// Confirm {{ .ConfirmationURL }} resolves to https://yourapp.com/auth/callback

Paste SMTP creds in Supabase, add DNS records, update the reset template. Send a test.

Deeper fixes when the quick fix fails

01 · Password reset email not sending — fix

Just adding the DNS records is not enough — they have to pass at the receiving mailbox. Send a reset to a Gmail address you own, open the message, view original headers, and confirm spf=pass, dkim=pass, dmarc=pass. Any fail or neutral means the DNS record does not match the provider's expected value byte-for-byte.

scripts/check-email-auth.sh

bash

01# Confirm DNS records exist and point at the SMTP provider02dig +short TXT yourapp.com | grep -i spf03dig +short CNAME resend._domainkey.yourapp.com04dig +short TXT _dmarc.yourapp.com05 06# Use mail-tester.com for a full deliverability score (10/10 target)

02 · Fix the {{ .ConfirmationURL }} template token

If the reset template uses a hard-coded URL, links break between staging and prod. The Supabase template placeholder {{ .ConfirmationURL }} resolves from the Site URL configured under Authentication → URL Configuration. Update that single value and every template link follows.

03 · Avoid noreply@mail.app.supabase.io in production

The default Supabase sender is shared across thousands of projects and has variable reputation. Gmail and Outlook increasingly drop it. Move to a sender on your own verified domain (for example auth@yourapp.com) as soon as SMTP is wired.

04 · Move urgent sending to a pre-warmed transactional stream

If you are on a brand-new domain, the first week of sends will land in spam until the domain builds a reputation. Postmark's transactional stream uses pre-warmed IPs and is the fastest path to reliable delivery when you cannot wait the warmup window.

Why AI-built apps hit password reset email not sending

Lovable, Bolt, and Cursor ship Supabase-backed auth that relies on the built-in shared SMTP server by default. That server is deliberately rate-limited — around three to four emails per hour per project — and is intended for development only. Founders test locally, confirm the password reset email arrives, deploy to production, and then onboard their first ten users. Most of those users never see the reset email because the shared SMTP quota was exhausted on hour one. Supabase logs the request as "email sent" because it queued the message; the message itself never leaves the throttled queue.

Even when founders configure their own SMTP, the second trap is a missing DNS trust chain. Gmail and Outlook check SPF, DKIM, and DMARC to decide whether a message is trustworthy. Without those records, the message is either rejected outright or dumped into spam. The app-side code looks correct, the Supabase log says "email sent," the SMTP provider log says "delivered" — but the recipient never sees the message because their mail server silently quarantined it.

The third problem is sender verification. Resend, Postmark, and SendGrid all require you to verify the domain you send from. AI generators often write a sender like noreply@yourapp.com without telling you that you must add domain verification records. The first send then silently fails at the SMTP provider level, Supabase logs a generic error, and the founder cannot tell whether the problem is Supabase, SMTP, DNS, or code. The only path out is to check each layer in order.

password reset email not sending by AI builder

How often each AI builder ships this error and the pattern that produces it.

AI builder × password reset email not sending

Builder	Frequency	Pattern
Lovable	Very high	Ships on default Supabase shared SMTP; rate limit hits within an hour of launch.
Bolt.new	High	Configures Resend SMTP but skips sender domain verification — sends silently fail.
v0	Medium	Hard-codes the reset URL in the email template; links break on first deploy.
Cursor	Medium	Adds SPF but forgets DKIM and DMARC; Gmail routes messages to spam.
Replit	Medium	Leaves Supabase sender as noreply@mail.app.supabase.io in production.
Claude Code	Low	Correct SMTP wiring but no DMARC policy — Outlook rejects based on alignment.
Windsurf	Low	Uses SendGrid with a free-tier shared IP; reputation collapses after one spike.
Base44	Medium	Custom domain added in Base44 UI but never verified with the SMTP provider.

Related errors we fix

Stop password reset email not sending recurring in AI-built apps

→Never ship production auth on Supabase's default shared SMTP.
→Verify SPF + DKIM + DMARC on the live domain before onboarding the first real user.
→Monitor SMTP provider deliverability weekly; set an alert when bounce rate > 2%.
→Keep sender domain and Supabase Site URL aligned — both drive the {{ .ConfirmationURL }} link.
→Test delivery across Gmail, Outlook, and one custom-domain mailbox on every release.

Still stuck with password reset email not sending?

Emergency triage · $299 · 48h turnaround

We restore service and write the root-cause report.

Get transactional email landing in the inbox — and stay there.

→End-to-end SMTP + SPF/DKIM/DMARC setup on your verified domain
→Reset, confirmation, and magic-link templates reviewed against Gmail/Outlook policies
→Post-setup deliverability report with mail-tester scores per template

start the triage →

Free 30-min diagnostic

password reset email not sending questions

Why is my Supabase password reset email not sending?+

The default Supabase SMTP server is rate-limited to about 3 emails per hour and is shared across every project. The moment your app exceeds that limit, requests succeed from the client's point of view but no email is delivered. The fix is to configure your own SMTP provider (Resend, Postmark, SendGrid) in Supabase Authentication → Email → SMTP Settings. That lifts the rate limit and gives you delivery logs.

How do I know if SMTP is the problem vs DNS?+

Check Supabase Dashboard → Logs → Auth Logs. If the log shows 'email sent' but the user never receives it, the problem is downstream — DNS (SPF, DKIM, DMARC), reputation, or spam filtering. If the log shows an error like 'SMTP authentication failed' or 'connection refused,' the SMTP credentials are wrong. The log is the fastest way to know which layer is failing.

What SMTP settings should I use with Resend for Supabase?+

Host: smtp.resend.com. Port: 465 (TLS) or 587 (STARTTLS). Username: resend. Password: your Resend API key. Sender email: a verified domain like noreply@yourapp.com. Minimum interval between emails: 1 second. The most common mistake is using an unverified sender — Resend rejects the send and Supabase shows a generic 500.

Why do password reset emails go to spam?+

Because the sending domain fails SPF, DKIM, or DMARC checks. Every email provider (Resend, Postmark, SendGrid) gives you DNS records to add — an SPF TXT record, a DKIM CNAME, and a DMARC TXT record. Without those, Gmail and Outlook flag the message as untrusted and route it to spam. The fix is to log into your DNS provider and add the exact records from your SMTP provider's dashboard.

How long does it take to fix password reset email delivery?+

Fifteen minutes for SMTP configuration. Another thirty minutes if DNS records need to be added — and then up to 24 hours for DNS to propagate and for your sending domain to build a small reputation. If you are on a fresh domain, expect the first few sends to land in spam until the reputation warms up. For urgent delivery, use Postmark's transactional stream, which has pre-warmed IPs.

Next step

Ship the fix. Keep the fix.

Emergency Triage restores service in 48 hours. Break the Fix Loop rebuilds CI so this error cannot ship again.