TL;DR
Resend is a secure modern email API for developers. It requires domain verification (SPF, DKIM) before sending, uses API keys for authentication, and provides webhook security with signatures. The platform is straightforward with fewer configuration pitfalls than legacy email services. Protect your API key and you're good.
What is Resend?
Resend is a developer-focused email API for transactional emails (password resets, notifications, receipts). Built by the team behind react.email, it emphasizes developer experience with React components for email templates. Growing alternative to SendGrid and Mailgun.
Our Verdict
What's Good
- Domain verification required
- SPF/DKIM handled properly
- Webhook signatures
- Simple, secure API
- Good deliverability
What to Watch
- API key protection critical
- Webhook verification required
- Newer service (less track record)
API Key Security
Server-Side Only: Resend API keys should only be used server-side. Never expose them in client-side code-an attacker could send emails as your domain.
| Key Type | Permissions | Use Case |
|---|---|---|
| Full access | All operations | General use |
| Sending access | Send only | Production apps |
Best Practice: Use sending-only API keys for your production applications. Keep full-access keys for administrative tasks only.
Domain Security
Resend requires proper domain setup:
- Domain verification: Prove ownership before sending
- SPF record: Authorize Resend to send on your behalf
- DKIM signing: Cryptographic email authentication
- DMARC: Optional but recommended for full protection
Webhook Security
Verify webhook events from Resend:
- Resend signs webhooks with a secret
- Verify signatures to ensure authenticity
- Use HTTPS endpoints only
- Handle events idempotently
Email Security Best Practices
| Practice | Why It Matters |
|---|---|
| HTTPS only | Encrypt API calls |
| Domain verification | Prevent spoofing |
| API key rotation | Limit exposure window |
| Rate limiting | Prevent abuse |
| Input sanitization | Prevent injection in templates |
Is Resend safe for production?
Yes, Resend is used in production by many companies. It handles email authentication (SPF, DKIM) correctly, requires domain verification, and uses industry-standard API security.
What if my API key is exposed?
Immediately revoke the key in your Resend dashboard and create a new one. An exposed key could be used to send emails from your domain, potentially damaging your reputation and deliverability.
Resend vs SendGrid: which is more secure?
Both are secure when configured correctly. Resend is simpler with fewer settings to misconfigure. SendGrid has more enterprise features and a longer track record. Security depends more on your implementation than the provider.