Skip to content

Email (SMTP, Resend, SendGrid)

Connect any SMTP provider so Flow CMS can send invites, password resets and notifications — with exact settings for Resend, SendGrid and Mailgun.

Flow CMS sends its transactional email — teammate invites, password resets, content notifications and digests — through any SMTP provider you connect. There is no built-in mail service and no markup: bring Resend, SendGrid, Mailgun, Postmark, Amazon SES, Google Workspace, or your own mail host.

Configuration lives in Settings → Email: host, port, username, password and a From address, plus a Send test button that delivers a real test email so you know the connection works before anyone needs an invite.

The SMTP password is a credential. It is entered only on the Email settings screen, encrypted at rest with your instance's SECRETS_ENCRYPTION_KEY, and never returned to the browser.

Provider quick reference

Provider Host Port Username Password
Resend smtp.resend.com 465 (or 587) resend your Resend API key
SendGrid smtp.sendgrid.net 587 apikey (the literal string) your SendGrid API key
Mailgun smtp.mailgun.org 587 SMTP user from your domain page SMTP password
Postmark smtp.postmarkapp.com 587 server API token server API token
Amazon SES email-smtp.<region>.amazonaws.com 587 SMTP credentials from SES SMTP credentials from SES
Google Workspace smtp.gmail.com 587 your address an app password

Resend, step by step

  1. In Resend, add and verify your domain (Domains → Add domain) and create an API key.
  2. Add the DNS records Resend shows you (SPF + DKIM) and wait for the domain to verify.
  3. In Flow CMS Settings → Email: host smtp.resend.com, port 465, username resend, password = the API key, From = an address on the verified domain (e.g. [email protected]).
  4. Save, then Send test.

SendGrid, step by step

  1. In SendGrid, complete Sender Authentication (authenticate the domain — SPF + DKIM DNS records) and create an API key with Mail Send permission.
  2. In Flow CMS Settings → Email: host smtp.sendgrid.net, port 587, username apikey (exactly that string, not your account name), password = the API key, From = an address on the authenticated domain.
  3. Save, then Send test.

The From address matters as much as the credentials. Providers reject or spam-folder mail from unverified domains — verify the domain first, then use a From on that domain. [email protected]-style sandbox senders are fine for a first test but not for production.

Self-hosting notes

  • SMTP works on every edition, including Community — email is core, not a feature key.
  • Outbound port 587/465 must be open from wherever the backend runs. Some hosts block port 25 entirely; that is fine, since submission ports are what the providers use.
  • Credentials live in the database encrypted with SECRETS_ENCRYPTION_KEY — which is one more reason to back that key up.

Troubleshooting

Symptom Usual cause Fix
Authentication failed Wrong username convention SendGrid wants the literal apikey; Resend wants resend; both take the API key as the password
From address rejected Domain not verified with the provider Complete domain verification (SPF/DKIM), use a From on that domain
Test lands in spam Missing SPF/DKIM, or a free-mail From Verify the domain; avoid @gmail.com Froms through third-party SMTP
Connection timeout Port blocked by the host/firewall Try 587 ↔ 465, confirm outbound rules on your platform
Works locally, fails in prod Different env / secrets not set Re-enter credentials on the production instance; check SECRETS_ENCRYPTION_KEY is set

Once the test passes, the invite, reset, published and digest templates are customizable on the same settings screen. The help center has the editor-facing walkthrough.