What does the Supabase Email Checker inspect?

It checks the production readiness of Supabase Auth email: sender route, default Supabase sender risk, expected launch volume, Site URL, redirect URLs, auth flows, sender-domain DNS, DMARC posture, and template readiness.

Does this test my SMTP username and password?

If you choose Custom SMTP, you can optionally run the shared SMTP tester from this hub. Credentials are sent only to run the connection, TLS, authentication, and optional controlled-send test; Dreamlit does not store them or show them back.

Why is the default Supabase sender risky for production?

The built-in sender is convenient for development, but production projects should use custom SMTP, a Send Email Hook, or a managed sender route so auth email volume, branding, and domain authentication are under your control.

Can this help when Supabase magic links are not sending?

Yes. It checks the sender and launch risks that stop or delay auth email, then points magic-link-specific redirect and callback issues to the Supabase Magic Link Checker.

How should I test password reset email before launch?

Trigger a reset from the production app, confirm the email arrives, open the reset link on the expected device/browser, complete the password change, and verify the template explains expiry and resend expectations.

Do I need SPF, DKIM, and DMARC for Supabase Auth email?

If you send from a custom domain, SPF and DKIM should be correct for the sender service, and DMARC should at least be monitored. These checks help receivers trust signup, magic link, and password reset email.

Supabase Email Checker

Direct answer

What makes Supabase Auth email production-ready?

A production-ready Supabase email setup has a confirmed sender route, production Site URL, exact redirect allow list entries, tested auth flows, authenticated sender DNS, and templates that make the next action obvious.

For most launches, the default Supabase sender is the first thing to replace. Use custom SMTP, a Send Email Hook, or Dreamlit so signup confirmation, magic link, password reset, invite, email change, and reauthentication email are not blocked by development-oriented limits.

Supabase production checks

What the report prioritizes.

Default sender and rate-limit risk
If you are near launch or expecting a signup burst, treat the default Supabase sender as a launch blocker until a production route is confirmed.
Custom SMTP vs Send Email Hook
Custom SMTP keeps Supabase responsible for sending through your provider. Send Email Hook lets your app or Dreamlit own the email workflow, template, and delivery path.
Magic link and password reset URLs
Site URL is the fallback destination. Redirect URLs must include every callback, preview, localhost, and mobile deep-link target your app actually sends.
Sender-domain DNS
SPF and DKIM should match the service sending the message. DMARC gives receivers a domain-level policy once alignment is working.

Template readiness

Auth email templates need more than a button.

Branding

Users should recognize the app sending the auth email before they click.

Link destination

The primary button should open the production app or the exact auth callback route.

Variables

Review ConfirmationURL, TokenHash, SiteURL, RedirectTo, Email, and NewEmail for the flow you use.

Support and expiry

Explain what to do if the link expires, was not requested, or needs to be resent.

Common questions

Supabase email questions, answered.

What does the Supabase Email Checker inspect?: It checks the production readiness of Supabase Auth email: sender route, default Supabase sender risk, expected launch volume, Site URL, redirect URLs, auth flows, sender-domain DNS, DMARC posture, and template readiness.
Does this test my SMTP username and password?: If you choose Custom SMTP, you can optionally run the shared SMTP tester from this hub. Credentials are sent only to run the connection, TLS, authentication, and optional controlled-send test; Dreamlit does not store them or show them back.
Why is the default Supabase sender risky for production?: The built-in sender is convenient for development, but production projects should use custom SMTP, a Send Email Hook, or a managed sender route so auth email volume, branding, and domain authentication are under your control.
Can this help when Supabase magic links are not sending?: Yes. It checks the sender and launch risks that stop or delay auth email, then points magic-link-specific redirect and callback issues to the Supabase Magic Link Checker.
How should I test password reset email before launch?: Trigger a reset from the production app, confirm the email arrives, open the reset link on the expected device/browser, complete the password change, and verify the template explains expiry and resend expectations.
Do I need SPF, DKIM, and DMARC for Supabase Auth email?: If you send from a custom domain, SPF and DKIM should be correct for the sender service, and DMARC should at least be monitored. These checks help receivers trust signup, magic link, and password reset email.

References

Supabase Auth email references

Fix it with Dreamlit

Set up Supabase Auth email workflows without wiring SMTP by hand.

Dreamlit connects to Supabase and helps teams build branded, production-ready auth and lifecycle email workflows from their own data.

Build Supabase email workflows

Is your Supabase email setup production-ready?