# Production email with Resend (operator)

BilHej sends password-reset mail via **SMTP** (Spring `JavaMailSender`). You do **not** need the
Resend Java SDK from their onboarding snippet—only env vars on the server.

## Security

- Never commit `re_...` keys to git. Put them only in the server `.env`.
- If an API key was pasted in chat or logs, **revoke it** in Resend → API Keys and create a new one.

## 1. Verify bilhej.se in Resend

1. [Resend](https://resend.com) → **Domains** → add `bilhej.se`
2. Add the DNS records Resend shows (SPF, DKIM; DMARC optional) at your domain registrar
3. Wait until status is **Verified**

Until the domain is verified, `MAIL_FROM=noreply@bilhej.se` will fail. For a quick API test only,
Resend allows `onboarding@resend.dev` → your own inbox—not for production.

## 2. Production `.env` (SMTP, not SDK)

On the server (file used by `docker-compose.prod.yml`):

```bash
APP_PUBLIC_BASE_URL=https://bilhej.se
MAIL_HOST=smtp.resend.com
MAIL_PORT=587
MAIL_USERNAME=resend
MAIL_PASSWORD=re_your_new_api_key_here
MAIL_FROM=noreply@bilhej.se
```

| Variable | Resend value |
|----------|----------------|
| `MAIL_USERNAME` | Always the literal string `resend` |
| `MAIL_PASSWORD` | Your API key (`re_...`) |
| `MAIL_FROM` | Any address on **verified** domain, e.g. `noreply@bilhej.se` |

## 3. Deploy

Run **Deploy to Production** in Forgejo (pipeline only—no manual rsync).

## 4. Smoke test

1. https://bilhej.se/logga-in → **Glömt lösenord?**
2. Email that exists in `users`
3. Check inbox and spam
4. Resend dashboard → **Emails** should show the send
5. On failure: `docker logs bilhej-backend-prod 2>&1 | grep -i mail`

Fallback: reset links still log when `MAIL_HOST` is empty.

## Local dev

Keep using Mailpit (`docker compose up`, http://localhost:8025). Do not point local Docker at
Resend unless you intend to send real mail.