Magic-link login emails not arriving
A user types their email, the app says "check your inbox", and nothing arrives — not even in spam. It often works for your own address but fails for real users.
- Supabase
- Lovable
- Bubble
- Any stack
- Auth & login
- Email delivery
Root cause, in plain English
Most magic-link outages are email problems, not auth bugs. Auth providers ship a built-in email service meant only for development: Supabase's default sender delivers a few messages per hour and only reliably to your own team's addresses, so real users silently get nothing. The rest are domain-reputation failures — no SPF or DKIM for the sending domain — so receiving servers drop or spam-folder the message before anyone sees it.
How to fix it
Reproduce with an address outside your team (a fresh Gmail works). Your own inbox succeeding proves nothing — default senders whitelist project members.
Check the auth provider's logs for rate-limit errors. On Supabase, "email rate limit exceeded" (HTTP 429) means you've hit the built-in sender's per-hour cap.
Connect a real SMTP provider (Resend, Postmark, SES, SendGrid) in your auth settings and send from a domain you control. This is required for production, not an optimization.
Publish SPF, DKIM, and DMARC records for that sending domain — your email provider's dashboard lists the exact DNS records to add.
Re-test the full loop: request a link, receive it, click it, land signed in. Also confirm the link's expiry window is long enough for slow email delivery.
Go deeper: copy the open-source health-check recipe.
How Nightlamp detects this automatically
- Email flow
- Browser journey
An email_flow monitor runs your real magic-link loop on a schedule: it requests a link with a dedicated mailbox address, waits for the message to arrive, clicks through, and verifies the session — alerting on missing or slow email long before users complain. A browser_journey covers the login form itself.
Catch this before your customers do
Nightlamp runs these checks continuously against your live app and sends a plain-English diagnosis — not a wall of logs — the moment this pattern shows up.
Related patterns
Frequently asked questions
- Why do magic links work for me but not for my users?
- Development email senders deliver reliably only to addresses associated with your project or team and are rate-limited to a handful of messages per hour. You are usually the only person they work for. Production traffic needs your own SMTP provider.
- The email arrives but the link says it's expired or invalid.
- Check the link expiry window against real delivery delays, and watch for mailbox security scanners — some corporate email systems pre-click links to scan them, consuming one-time tokens before the user does. Providers offer settings or token formats that tolerate this.
- How fast should a magic link arrive?
- Through a real transactional provider, typically under thirty seconds. Multi-minute delays usually mean rate-limit queueing or domain-reputation throttling, both of which get worse with volume — fix them before launch, not after.
Newsletter
Get new incident patterns as we publish them
One email when new failure patterns, fixes, and monitoring recipes for no-code and AI-built apps land. No fluff, unsubscribe any time.
Double opt-in. One-click unsubscribe. No spam, ever.