BLOGS

Supabase Auth Emails Not Arriving? Troubleshooting Guide

March 12, 2026

A systematic guide to diagnosing and fixing Supabase authentication email delivery issues, from rate limits to spam filters to magic link failures.

Supabase Auth Emails Not Arriving? Troubleshooting Guide

The Problem

Your Supabase app is live. Users try to sign up, reset their password, or use a magic link. The email never arrives.

This is one of the most frustrating issues Supabase developers face. Let’s systematically diagnose and fix it.

Quick Diagnosis

Before diving into solutions, identify which category your issue falls into:

SymptomLikely CauseJump to
”Email rate limit exceeded” errorBuilt-in provider limitsRate Limits
”Email address not authorized” errorNo custom SMTP configuredEmail Address Not Authorized
No errors, but emails don’t arriveDeliverability issuesDeliverability Issues
Emails bouncingInvalid address or typoEmails Bouncing
Emails landing in spamDomain reputationEmails Landing in Spam
Magic link shows “invalid” or “expired”Link scanner pre-clickingMagic Link Issues
Local dev emails not workingConfig.toml misconfigurationLocal Development Issues

Rate Limits

Supabase’s built-in email provider is not for production purposes and has strict limits that will block your auth flow.

Current limits:

If you see the “Email rate limit exceeded” error, you’ve hit this limit.

Solution

Configure a dedicated email provider through SMTP instead of using Supabase’s internal email system.

  1. Choose an SMTP provider. We recommend Pingram for its generous free tier and native Supabase integration. See our SMTP provider comparison for alternatives.
  2. Create an account on your chosen provider.
  3. Connect to Supabase. With Pingram, use the “Integrate with Supabase” button in the dashboard. For other providers, copy the SMTP credentials from their settings and paste them into Supabase under Authentication → SMTP Settings.

”Email address not authorized”

This error means you’re trying to send auth emails to an address that isn’t on your Supabase project’s team.

Why this happens: Without a custom SMTP provider, Supabase’s built-in email service only sends to organization members. If your team includes alice@example.com and bob@example.com, auth emails will only work for those addresses. Everyone else gets this error.

The fix: Configure a dedicated email provider through SMTP instead of using Supabase’s internal email system.

  1. Choose an SMTP provider. We recommend Pingram for its generous free tier and native Supabase integration. See our SMTP provider comparison for alternatives.
  2. Create an account on your chosen provider.
  3. Connect to Supabase. With Pingram, use the “Integrate with Supabase” button in the dashboard. For other providers, copy the SMTP credentials from their settings and paste them into Supabase under Authentication → SMTP Settings.

Deliverability Issues

Supabase or SMTP provider says the email was sent, but users aren’t receiving it. This is a deliverability problem.

Check Your Auth Logs First

Start with Supabase’s built-in logging:

  1. Go to your Supabase Dashboard
  2. Navigate to Authentication → Logs
  3. Look for errors during the email handoff

Once an email is handed to your SMTP provider, Supabase can’t control what happens next. If the handoff succeeded, check your provider’s delivery logs. If you’re using Pingram, go to Logs in the dashboard to see delivery status for each email.

Emails Bouncing

If your SMTP provider shows emails bouncing, start with the basics before diving into complex fixes.

1. Verify the email address is valid

Typos are more common than you’d think. Check for:

2. Test with your own email address

Send a test auth email to yourself. If it arrives, the problem is with the specific recipient address, not your configuration.

3. Check bounce reasons in your SMTP provider

Your provider’s logs will show why the email bounced. Common reasons:

If emails are bouncing due to spam filtering or domain reputation issues, continue to the next section.

Emails Landing in Spam

If emails arrive but land in spam (or bounce due to spam filtering), your domain reputation or email configuration needs work.

1. Stop Using Supabase’s Built-in Emails

Emails sent through Supabase’s default service share reputation with other projects — their spam problems become your spam problems.

Fix: Configure a custom SMTP provider. See the Rate Limits section for setup steps.

2. Set Up a Custom Domain

Configure a custom sending domain in your SMTP provider. This adds SPF, DKIM, and DMARC authentication records that prove your emails are legitimate.

If you’re using Pingram, go to Settings → Domains to add and verify your domain.

3. Content Tips

The content of your emails affects deliverability:

Magic links have unique failure modes beyond standard email deliverability.

Cause: Email security scanners pre-click links to check for malware. This consumes the one-time authentication token before the user clicks.

Signs this is happening:

Solutions:

Option 1: Add an intermediate step

Instead of a direct magic link, send users to a page that says “Click to confirm sign-in” with a button. The scanner clicks the link, but the button remains unclicked.

<!-- Your intermediate confirmation page -->
<h1>Confirm your sign-in</h1>
<p>Click the button below to complete authentication.</p>
<button onclick="window.location.href='{{ original_magic_link }}'">
  Sign In
</button>

Option 2: Use OTP instead of magic links

Switch from magic links to email OTP (one-time passwords). Users receive a 6-digit code instead of a link:

// Supabase OTP sign-in
const { error } = await supabase.auth.signInWithOtp({
  email: 'user@example.com',
  options: {
    shouldCreateUser: true
  }
});

The user enters the code manually, bypassing link scanning entirely.

PKCE Flow Errors

If you’re building a mobile app and see #ZgotmplZ in your magic link emails, you’re hitting a PKCE flow issue.

Cause: Supabase’s email templates use Go’s template/html package, which escapes non-standard URL schemes (like myapp:// deep links).

Fix: Use a multi-step redirect:

  1. Email links to your website: https://yourdomain.com/auth/callback
  2. Your website redirects to your app: myapp://auth/callback

Local Development Issues

Auth emails not working in local development is usually a configuration issue.

Check config.toml

In your local Supabase project, verify supabase/config.toml:

[auth]
# Make sure email provider is enabled
enable_signup = true

[auth.email]
# For local dev, use Inbucket (Supabase's built-in email testing tool)
enable_confirmations = true

Use Inbucket for Testing

Supabase includes Inbucket, a local email testing server. Access it at:

http://localhost:54324

All auth emails in local development are captured here instead of being sent to real addresses.

After deploying, verification links may still point to localhost or the wrong domain.

Fix: Update your site URL in Supabase:

  1. Go to Authentication → URL Configuration
  2. Set Site URL to your production domain
  3. Add your local dev URL to Redirect URLs for testing

Checklist: Production-Ready Auth Emails

Before going live, verify:

  1. Custom SMTP provider configured (not Supabase’s built-in)
  2. Custom domain with SPF, DKIM, and DMARC records
  3. Links in email content matching the sender domain
  4. Simple email structure with non-promotional language
  5. Unsubscribe link in the email footer

Still Having Issues?

Additional Resources