Email: transactional sends + support inbox
Two totally separate mail paths (PLAN.md §6 guardrail):
- Customer dunning (chases) — always sent from the customer's own
Gmail/M365 mailbox via their OAuth grant. Never routed through our domain.
- Our transactional mail — welcome on signup, founder alerts, weekly
Cash Recovered summaries. Sent from noreply@dunchase.com with
Reply-To: support@dunchase.com. This document covers only this path.
Code path
apps/api/src/lib/email/transactional.ts → sendTransactionalEmail().
Provider is picked by EMAIL_PROVIDER (cloudflare | resend), or
automatically: Cloudflare when CLOUDFLARE_EMAIL_API_TOKEN is set, else
Resend when RESEND_API_KEY is set, else the send is skipped with a log
line (never throws). All older Resend call sites (founder notify, feedback,
audit requests, weekly report) go through this lib; the welcome email is
lib/email/welcome.ts fired on POST /api/v1/auth/signup.
Cloudflare sends use the Email Service REST API:
POST https://api.cloudflare.com/client/v4/accounts/{account_id}/email/sending/send
with {from, to, subject, html, text?, headers: {'Reply-To': …}}.
Already provisioned via API (done 2026-07-07)
On the dunchase.com zone (DNS token at ~/.clouldflare/.env):
- MX
route1/route2/route3.mx.cloudflare.net(priorities 13/86/24) - TXT SPF
v=spf1 include:_spf.mx.cloudflare.net ~all - Email Routing rule:
support@dunchase.com→ forward to
biz.support.email@gmail.com (already a verified destination address on
the Cloudflare account, so forwarding works the moment routing is enabled)
Manual dashboard steps (founder — the DNS token cannot do these)
- Enable Email Routing: Cloudflare dashboard → dunchase.com → Email →
Email Routing → Enable. (Records + the support@ rule are already there;
enabling flips it live.) Send a test mail to support@dunchase.com and
confirm it lands in the Gmail inbox.
- Enable Email Sending + create a token: dashboard → Email →
Email Sending (Email Service beta) → add dunchase.com / noreply@
sender, then My Profile → API Tokens → create a token with the
Email Sending permission for the account.
- Put the token in
/srv/paidup/.env:
CLOUDFLARE_EMAIL_API_TOKEN=<token> (with EMAIL_PROVIDER=cloudflare,
FROM_EMAIL=noreply@dunchase.com, SUPPORT_EMAIL=support@dunchase.com
already set), then recreate the paidup-api/paidup-worker containers.
- Verify: sign up with a real inbox on https://dunchase.com/signup and
check the welcome email arrives with Reply-To support@dunchase.com.