# Production email with Resend (operator)

BilHej sends password-reset mail via **SMTP** (Spring `JavaMailSender`). You do **not** need the
Resend Java SDK from their onboarding snippet—only env vars on the server.

## Security

- Never commit `re_...` keys to git. Put them only in the server `.env`.
- If an API key was pasted in chat or logs, **revoke it** in Resend → API Keys and create a new one.

## 1. Verify bilhej.se in Resend

1. [Resend](https://resend.com) → **Domains** → add `bilhej.se`
2. Add the DNS records Resend shows (SPF, DKIM; DMARC optional) at your domain registrar
3. Wait until status is **Verified**

Until the domain is verified, `MAIL_FROM=noreply@bilhej.se` will fail. For a quick API test only,
Resend allows `onboarding@resend.dev` → your own inbox—not for production.

## 2. Production `.env` (SMTP, not SDK)

On the server (file used by `docker-compose.prod.yml`):

```bash
APP_PUBLIC_BASE_URL=https://bilhej.se
MAIL_HOST=smtp.resend.com
MAIL_PORT=587
MAIL_USERNAME=resend
MAIL_PASSWORD=re_your_new_api_key_here
MAIL_FROM=noreply@bilhej.se
```

| Variable | Resend value |
|----------|----------------|
| `MAIL_USERNAME` | Always the literal string `resend` |
| `MAIL_PASSWORD` | Your API key (`re_...`) |
| `MAIL_FROM` | Any address on **verified** domain, e.g. `noreply@bilhej.se` |

## 3. Deploy

Run **Deploy to Production** in Forgejo (pipeline only—no manual rsync).

## 4. Smoke test

1. https://bilhej.se/logga-in → **Glömt lösenord?**
2. Email that exists in `users`
3. Check inbox and spam
4. Resend dashboard → **Emails** should show the send
5. On failure: `docker logs bilhej-backend-prod 2>&1 | grep -i mail`

Fallback: reset links still log when `MAIL_HOST` is empty.

## Local dev

Keep using Mailpit (`docker compose up`, http://localhost:8025). Do not point local Docker at
Resend unless you intend to send real mail.

## 5. Inbound email on bilhej.se

Inbound mail uses **Resend Receiving** on the root domain `bilhej.se`. No mailbox is created in
Strato; the MX record routes all `@bilhej.se` addresses to Resend. You do not create each address
separately in Resend.

**Setup (done once):**

1. Resend → **Domains** → `bilhej.se` → enable **Receiving**
2. Strato → **DNS** → add the receiving MX record (e.g. `inbound-smtp.eu-west-1.amazonaws.com`)
3. Wait until Resend shows receiving as **Verified**
4. Send test mail to `support@bilhej.se` and `kontakt@bilhej.se`; confirm both appear under **Emails → Receiving**

**Reading mail:** open the [Resend Receiving inbox](https://resend.com/emails/receiving). There is
no automatic forward to Gmail unless you add a webhook handler later.

| Address | Purpose | Where mail goes |
|---------|---------|-----------------|
| `support@bilhej.se` | Orders, Swish, status, technical issues | Resend dashboard |
| `kontakt@bilhej.se` | General contact, printed letter footer | Resend dashboard |
| `klagomal@bilhej.se` | Complaints (shown on `/kontakt`) | Resend dashboard |
| `noreply@bilhej.se` | Outbound only (password reset) | Not an inbox |

**Optional later (same Resend inbox, no extra DNS):** `abuse@bilhej.se` if you want a published
address for misuse reports; `privacy@bilhej.se` if integritetspolicy asks for a dedicated
data-protection contact.