Each environment can deliver transactional authentication email through Authdog's managed provider or one connected provider of your own. Only one provider is active at a time. The managed provider is used until you connect and activate another.

## Choose a provider

Supported email delivery choices:

- **Authdog managed** — no credentials or setup.
- **Custom SMTP** — host, port, username, password, from address, and optional implicit TLS.
- **Resend** — API key and from address.
- **SendGrid** — API key and from address.
- **Amazon SES** — access key ID, secret access key, region, and from address.
- **Postmark** — server token, from address, and optional message stream.

Provider configuration belongs to one environment. Configure development first, then repeat with production-specific credentials and sender domains.

## Connect a provider

In the [Authdog console](https://console.authdog.com):

1. Select the project and environment.
2. Open **Notifications → Providers**.
3. Select the **Email** channel.
4. Choose a provider and select **Connect**.
5. Enter its required credentials and from address.
6. Save. A newly connected provider becomes active.
7. Select **Test**, enter a recipient, and confirm delivery.

When managing an existing provider, secret fields are masked and never loaded back into the browser. Leave a secret field blank to keep its stored value; enter a new value to replace it.

You can connect several providers, but only one sends for the environment. Use **Set active** to switch, or **Use managed** to return to Authdog-managed delivery.

## SMTP transport

Custom SMTP supports:

- Port `587` with STARTTLS upgrade.
- Port `465` with **Use TLS/SSL** enabled for implicit TLS.
- `AUTH LOGIN` when both username and password are present.

Use the exact submission host and credentials supplied by your relay. Do not use an unencrypted SMTP endpoint.

## Prepare the sender domain

Before activation:

1. Verify the from address or domain with your provider.
2. Publish provider-required SPF and DKIM records.
3. Add a DMARC policy appropriate for your rollout.
4. Confirm the provider account is out of sandbox or test mode where applicable.
5. Send a test to a mailbox outside your own domain and inspect authentication results.

Authdog selecting a provider does not verify sender-domain ownership at that provider. Provider-side rejection still causes delivery failure.

## Security guidance

- Create least-privilege sending credentials for Authdog; do not reuse account-owner or general AWS credentials.
- Store provider secrets only through the console. They are encrypted server-side and are not returned by provider queries.
- Rotate credentials in a non-production environment first, then replace production values and run a test.
- Restrict SES credentials to required email actions and region.
- Use a dedicated transactional sender domain to isolate reputation from employee mail.
- Disconnect credentials no longer in use.

## Operational notes

- Test before switching active provider and again after DNS or credential changes.
- Keep Authdog managed delivery available as a deliberate rollback option.
- A connected provider is not necessarily active; check its status badge.
- Postmark defaults to the `outbound` message stream when no stream is configured.
- SMTP defaults to port `587` when no usable port reaches dispatch, but the console requires a port during setup.
- If delivery fails, check provider suppression lists, account limits, sender verification, region, credentials, and provider logs.
- Disconnecting removes that environment's provider configuration. Switch active delivery first when planning a controlled change.

Email provider setup affects email only. SMS providers shown in the same console area are a separate channel and are not configured by this page.

## Related

- [Authentication](/docs/concepts/authentication) — flows that send authentication email
- [Deployments](/docs/deployments) — environment isolation
- [Custom domains](/docs/custom-domains) — branded identity hostnames
- [Security](/docs/security) — secret and session security
- [Testing](/docs/testing) — test-environment guidance
