
Supabase Email Auth: Why Is My Verification Email Not Arriving?
User signed up, but no email arrived. Is it Supabase's fault? Learn why default SMTP fails and how to fix it using Resend or AWS SES.

User signed up, but no email arrived. Is it Supabase's fault? Learn why default SMTP fails and how to fix it using Resend or AWS SES.
You changed the code, saved it, but the browser does nothing. Tired of hitting F5 a million times? We dive into how HMR (Hot Module Replacement) works, why it breaks (circular dependencies, case sensitivity, etc.), and how to fix it so you can regain your development speed.

Troubleshooting absolute path import configuration issues in TypeScript/JavaScript projects. Exploring the 'Map vs Taxi Driver' analogy, CommonJS vs ESM history, and Monorepo setup.

How to solve CORS errors during development using proxy configuration and important considerations.

HTTP is stateless. How Cookies and Sessions solve this. Comparing Stateful Auth (Session) vs Stateless Auth (JWT).

On launch day, I asked my friends, "Hey, sign up for my app!" A minute later, I got a text. "I clicked sign up, but the email isn't coming."
Testing it myself, nothing arrived.
Checked the Spam folder. Nothing.
Checked Supabase Dashboard logs. It said Auth: Email sent.
In that moment, I realized sending an email isn't just calling a simple sendMail() function.
My precious verification email had been marked as 'Spam' somewhere in the vast ocean of the internet and evaporated.
Since Supabase is a "Backend-as-a-Service," I assumed it would handle email delivery perfectly. The docs even said "Email Auth is enabled by default."
But I missed a crucial disclaimer:
"Supabase provides a default SMTP for testing purposes only. Rate limits apply."
Supabase's default email server is for "Testing Only." Tens of thousands of free tier users share this single server. If someone sends spam through it, the server's IP Reputation tanks.
Servers like Gmail, Outlook, and Yahoo look at emails from Supabase's default server with extreme suspicion. "Oh? This IP was sending gambling spam yesterday. Block."
My legitimate service emails were getting blocked simply by association.
A friend explained it as "Public Mailbox vs. Private Courier."
"Ah, if I don't want my service to be treated like junk, I need to hire a private courier." I immediately started setting up Custom SMTP.
AWS SES was too complex, so I chose Resend for its developer-friendly experience. (100 free emails/day is enough for verified domains initially).
I signed up for Resend and added my domain (codemapo.com).
They gave me 3 DNS records:
I had to copy these into my DNS settings (Vercel, Cloudflare). If you skip this? It's like sending a courier in a suit but without an ID card. Still treated as spam.
Go to Supabase Dashboard -> Project Settings -> Auth -> SMTP Settings.
Don't just toggle Resend integration; verify Custom SMTP settings.
noreply@codemapo.com (Must use your domain! Don't use @gmail.com)smtp.resend.com465 (SSL)resendAfter saving, I tried signing up again. Less than a second later, my phone buzzed. "Ding!" It landed proudly in the Inbox, not Spam. The satisfaction!
To stay out of the spam folder, you must understand these three.
1.2.3.4. Is this your guy?" DNS replies v=spf1 include:resend.com, meaning "Yes, Resend is our authorized sender."none (monitoring) and move to quarantine later.Which one should you pick in 2025?
| Provider | Free Tier | Pros | Best For |
|---|---|---|---|
| Resend | 3,000/mo | Amazing DX, React Email support | Startups / Indy Devs |
| AWS SES | 62,000/mo | Dirt cheap ($0.10/1k emails) | Scale / DevOps Pros |
| SendGrid | 100/day | Reliable, feature-rich | Legacy systems |
| Mailgun | Trial Only | Strict enforcement | Not recommended |
I vote for Resend. It's built by the same aesthetic philosophy as Vercel. Their React Email library allows you to build email templates using React components instead of archaic HTML <table> tags.
Just buying a domain and setting up SMTP isn't enough.
If you buy newapp.com today and send 10k emails tomorrow, you WILL be blocked.
The Warm-up Schedule:
This builds "IP Reputation."
Also, keep an eye on Bounce Rate. If you send emails to non-existent addresses (e.g., test@test.com), your reputation score drops. Use an email validation library on your signup form.
Be careful when testing locally (localhost:3000).
When you click the Confirm your email link, Supabase redirects the user to the Site URL.
If Site URL is set to production (https://codemapo.com), signing up locally will redirect you to the live site after verification, making it look like login failed (session is on prod, not localhost).
Solution:
Add http://localhost:3000/** to Redirect URLs in Supabase Auth settings.
And explicitly specify emailRedirectTo in your client code:
await supabase.auth.signUp({
email,
password,
options: {
emailRedirectTo: 'http://localhost:3000/auth/callback', // Explicitly set local URL
},
});