Dedicated Resend (enterprise)
Enterprise teams use their own Resend account for custom domains, inbound webhooks, and outbound send — isolated from the shared MailAgent Resend quota.
When to use
- Enterprise plan (
teams.plan = enterprise) - Isolated domain quota and webhook traffic per tenant
- Compliance: tenant-owned email infrastructure
Free and Pro teams keep using the shared Resend account on the Worker. See Custom domain for standard hosted domains.
Plan limits
| Limit | Enterprise |
|---|---|
| Custom domains | 25 |
| Active inboxes | 500 |
| Team keys | 50 |
| Rate limit | 600 req/min |
Setup
0. Enable enterprise plan (operator)
npm run team:plan -- TEAM_ID enterprise1. Configure dedicated Resend
Console (recommended): Dashboard → Dedicated Resend — paste Resend API key and webhook signing secret.
curl -sS -X PUT "$MAILAGENT_API_URL/v1/team/dedicated-resend" \
-H "Authorization: Bearer $MAILAGENT_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"resendApiKey": "re_…",
"webhookSecret": "whsec_…"
}' | jq .
Response includes webhookUrl. In the team's Resend dashboard,
add a webhook:
- URL:
https://api.webmailagent.com/webhooks/resend/team/TEAM_ID - Event:
email.received
Requires an unrestricted admin team key (scoped read-only keys get 403 scope_admin_required).
2. Add custom domain
Domains are created in the team's Resend account (not MailAgent's shared account).
curl -sS -X POST "$MAILAGENT_API_URL/v1/domains" \
-H "Authorization: Bearer $MAILAGENT_API_KEY" \
-H "Content-Type: application/json" \
-d '{"name":"inbox.yourcompany.com"}' | jq .
Without step 1, enterprise teams get 403 dedicated_resend_required.
Full DNS flow: Custom domain guide.
3. Create inbox and send (optional outbound)
curl -sS -X POST "$MAILAGENT_API_URL/v1/inboxes" \
-H "Authorization: Bearer $MAILAGENT_API_KEY" \
-H "Content-Type: application/json" \
-d '{"label":"outbound","domainId":"DOMAIN_ID","username":"qa"}' | jq .address
curl -sS -X POST "$MAILAGENT_API_URL/v1/inboxes/INBOX_ID/send" \
-H "Authorization: Bearer $MAILAGENT_API_KEY" \
-H "Content-Type: application/json" \
-d '{"to":["user@example.com"],"subject":"Hello","text":"from dedicated Resend"}' | jq .
Outbound uses the team Resend key. Inbox must be on a verified custom domain
(domainId) — shared INBOX_DOMAIN addresses return
403 dedicated_outbound_requires_custom_domain_inbox.
Status & discovery
curl -sS "$MAILAGENT_API_URL/v1/team/dedicated-resend" \
-H "Authorization: Bearer $MAILAGENT_API_KEY" | jq .
curl -sS "$MAILAGENT_API_URL/v1/me" \
-H "Authorization: Bearer $MAILAGENT_API_KEY" | jq .capabilities
capabilities.outbound.dedicatedResend: true when team Resend is configured.
Clear config: DELETE /v1/team/dedicated-resend (admin key).
Security
- Resend API key and webhook secret stored encrypted in Postgres (AES-GCM)
- Audit events:
team.dedicated_resend.configured,team.dedicated_resend.cleared - Full audit log: Console audit
MCP
Same REST rules — domain and send tools use team Resend when configured:
mailagent_add_domain
mailagent_list_domains
mailagent_verify_domain
mailagent_send_message