Resend email setup
Resend sends severity-routed alert emails (medium / high / critical) to any address you configure. Free tier gives you 3,000 emails a month — plenty for personal monitoring.
What you need
- A Resend account — free at resend.com.
- A domain you can add DNS records to (e.g.
yourdomain.com), OR Resend's onboarding sandbox if you just want to try it. - One Resend API key (created in the Resend dashboard).
11. Verify a sending domain
In the Resend dashboard, open Domains → Add Domain and follow the DNS instructions (SPF + DKIM TXT records). Resend usually verifies within a few minutes once DNS propagates.
onboarding@resend.dev without verifying a domain — useful for testing, but recipients may see a warning header.22. Create an API key
Open resend.com/api-keys → Create API Key. Give it Sending access (the most-restrictive option). Copy the key — it starts with re_ and is shown once.
33. Choose where the key lives
SafeOS Guardian supports two patterns. Pick whichever fits your deployment.
Server-wide key (operator pays)
Set these three values on your API server's .env file. Every user of the deployment can then opt in to email alerts without supplying their own key.
RESEND_API_KEY=re_xxxxxxxxxxxxxxxxxxxxxxxx EMAIL_FROM="SafeOS Guardian <alerts@yourdomain.com>" EMAIL_REPLY_TO="team@yourdomain.com"
Restart your API server after editing. The setting takes effect immediately.
Bring your own key (per-user)
Go to Settings → Notifications, enable email alerts, and toggle Use my own Resend account. Paste your API key + a sender address from a domain you verified in your Resend account. The key is stored in this browser's local storage and only sent to the API server when an alert fires.
44. Test the integration
- Open Settings → Notifications.
- Toggle Enable email alerts.
- Enter the address you want alerts sent to.
- Click Send test email. You should get a confirmation message and receive the email within a few seconds.
Which alerts go to email?
SafeOS Guardian routes alerts by severity. The default policy:
| Severity | Browser push | SMS | Telegram | |
|---|---|---|---|---|
| info | ✓ | — | — | — |
| low | ✓ | — | — | — |
| medium | ✓ | ✓ | — | ✓ |
| high | ✓ | ✓ | ✓ | ✓ |
| critical | ✓ | ✓ | ✓ | ✓ |
Quiet hours suppress non-critical alerts. Critical events always come through.
Where your data lives
- The Resend API key (when BYO) sits in this browser's local storage. It never leaves your device until you click Send test email or an alert fires.
- Email content is rendered server-side and POSTed to Resend over HTTPS. SafeOS keeps no copy of the email body after dispatch.
- The recipient address is stored on your profile (and locally). Change or clear it at any time from the settings page.
- Frame does not receive copies of your alert emails. The path is
your browser → your SafeOS API server → Resend → your inbox.
Troubleshooting
- The test email button is disabled.
- Check that (a) the toggle is on, (b) the recipient field is a valid email, and (c) either the server reports Resend as configured (badge on this page) or you've entered your own API key.
- I get "Resend send failed: From address not authorized".
- Your
Fromaddress must use a domain that's verified in your Resend account. Either verify the domain or fall back toonboarding@resend.dev. - I'm not receiving alert emails even though the test worked.
- Confirm the alert severity is at least medium — info and low events never go to email by default. Also check spam, and the rate limits in your Resend dashboard.
- I want different sender names per scenario.
- Not currently supported — every alert uses the same
EMAIL_FROM(server) or sender override (BYO). Open an issue if you need per-stream sender routing. - Where do I see Resend errors?
- Server logs print
[NotificationManager]andResend send failed: …lines. The Resend dashboard's Logs tab shows every send attempt with delivery state.