Email delivery is tested and working

Sandbox SMTP credentials (Ethereal, Mailtrap, Resend test keys starting re_test_) accept messages and return a success response, then silently discard them. Password-reset emails never arrive, signup confirmations vanish, and paying customers cannot recover locked accounts. Support inboxes fill with I never got the email complaints that look like user error but are actually a missing production key. GDPR and CAN-SPAM also require functional unsubscribe mail that a sandbox swallows.

Swap sandbox keys for production credentials in your hosting platform's environment configuration — Resend re_ (not re_test_), SendGrid production API key, or Postmark server token. Verify the sender domain and publish DKIM, SPF, and DMARC records so Gmail and Outlook do not quarantine the mail. Then send one real test to an address you control, including a spam-folder check, for every flow: signup, password reset, receipts.

// lib/email.ts
import { Resend } from 'resend'
const resend = new Resend(process.env.RESEND_API_KEY)

• ID: pre-launch.monitoring.email-delivery

• Severity: high

• What to look for: Count all email-sending functions and transactional email templates. Enumerate whether email delivery is configured with a production service (SendGrid, Resend, AWS SES). Check for email sending dependencies: nodemailer, @sendgrid/mail, resend, postmark, @mailchimp/mailchimp_transactional, aws-sdk (SES). Check for email templates or email sending utility files. Look for environment variables related to email (SMTP_HOST, SENDGRID_API_KEY, RESEND_API_KEY, etc. in .env.example). Check transactional email usage in auth flows, notification handlers, and contact form submissions.

• Pass criteria: An email sending library is present and configured with production credentials, OR the project has no email-sending functionality. At least 1 production email service must be configured (not localhost SMTP).

• Fail criteria: An email sending library is present but configured with test/sandbox credentials only, or there is evidence of email functionality that has never been end-to-end tested (e.g., commented test lines, TODO notes about email testing).

• Skip (N/A) when: Skip if no email sending library is detected and no email-related environment variables or templates are found. Signal: none of the above libraries in package.json and no SMTP/email API variables in .env.example.

• Cross-reference: For custom email domain, see custom-email.

• Detail on fail: "Email sending library detected but only sandbox/test configuration found — transactional emails (password resets, notifications) may not deliver in production"

• Remediation: Many vibe-coded projects use sandbox email credentials that silently discard messages. Users never receive password reset emails or onboarding notifications:

  // lib/email.ts — production email service
  import { Resend } from 'resend'
  const resend = new Resend(process.env.RESEND_API_KEY)
  

  1. Switch from test/sandbox to production email credentials in your hosting platform's environment configuration.
  2. For Resend: switch from test API key (re_test_...) to live key (re_...). Verify your sender domain in the Resend dashboard.
  3. For SendGrid: switch to production API key. Set up domain authentication (DKIM/SPF) to improve deliverability.
  4. After switching to production credentials, send a real test email to an address you control and verify receipt (including checking spam folder).
  5. Test all email flows: welcome email, password reset, notification emails, and any other transactional messages.