Official Resend MCP server for giving Claude and other MCP clients controlled access to email sending, received email, contacts, broadcasts, domains, segments, topics, API keys, and webhooks through stdio or Streamable HTTP.
Resend MCP is an executable npm package launched with `npx`, not a HeyClaude-hosted package. Review the official repository and npm package metadata before running it in privileged environments., The server can send, schedule, update, cancel, and batch send emails when the configured API key allows it. Treat every outbound email as a production write unless you are using a controlled test recipient., Tools can manage contacts, segments, topics, broadcasts, domains, webhooks, contact properties, API keys, and received emails. Do not expose broad account-management tools to an autonomous agent without human review., Do not paste real `re_` API keys into prompts, issue comments, screenshots, public MCP configs, shell history, or committed files. Use environment variables or your client's secret handling., For stdio mode, the docs use `RESEND_API_KEY` in the launched process environment. For HTTP mode, each client authenticates with a Bearer token in the `Authorization` header., If reproducibility matters, pin the npm package version after checking the current Resend docs and release metadata instead of relying on the latest `npx -y resend-mcp` package., Attachments can be provided from local paths, URLs, or base64 content. Do not allow the assistant to attach arbitrary local files or downloaded content without reviewing file path, size, type, and recipient., Domain, tracking, TLS, webhook, API-key, and audience changes can affect deliverability, compliance, and production email behavior. Require explicit human approval for those operations.
Privacy notes
Tool results and prompts can expose email addresses, names, recipient lists, message bodies, subject lines, attachments, contact properties, segments, topics, unsubscribe state, domain names, webhook URLs, logs, and inbound email content., Received emails and attachments can include customer support requests, order confirmations, account details, personal data, credentials, invoices, contracts, or regulated information., Outbound email drafts can leak private customer data if generated from tickets, Slack messages, databases, logs, or other MCP servers without a data-sharing review., MCP client transcripts, terminal logs, debug output, shell history, AI provider logs, screenshots, and issue reports may retain email content or recipient data outside Resend's access controls., Keep marketing audiences, segments, broadcast lists, custom properties, and suppression/unsubscribe data out of prompts unless the workflow owner approved the data handling., Use synthetic recipients, test domains, and non-production content for demos, screenshots, validation, and AI-assisted troubleshooting.
Author
Resend
Submitted by
oktofeesh1
Claim status
unclaimed
Last verified
2026-06-04
Decision playbook
Review trust signals before you adopt
Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.
Compare context
Selected
0
Current score
78
Baseline
—
Delta
No baseline selected
No major trust-signal divergence detected in the current selection.
Source and provenance checks
Complete
Confirm ownership and provenance before trusting install instructions.
Source link availableRequired
Open the canonical repository and verify ownership.
Done
Source provenance statusRequired
Marked as source-backed.
Done
Metadata reviewed
Registry metadata indicates a reviewed listing.
Done
Safety and privacy checks
Complete
Validate risk disclosures before installation or API wiring.
Safety notes presentRequired
Review the listed safety guidance before running commands.
Done
Privacy notes presentRequired
Review data handling notes before connecting accounts or secrets.
Done
Trust level risk gateRequired
Trust level does not block evaluation.
Done
Package and install checks
Needs review
Check package metadata and artifact integrity signals.
Install payload available
Install or copy payload is available for review.
Done
Package verification flag
No package verification flag provided.
Pending
Checksum metadata
No checksum provided for downloaded artifact.
Pending
Compare-driven decision checks
Needs review
Use compare context to validate trade-offs before adoption.
Compare tray has multiple entries
Add at least one more entry to compare trust differences.
8 safety and 6 privacy notes across 5 risk areas. Review closely: credentials & tokens, permissions & scopes, network access.
5 areas
SafetyExecution & processesResend MCP is an executable npm package launched with `npx`, not a HeyClaude-hosted package. Review the official repository and npm package metadata before running it in privileged environments.
SafetyCredentials & tokensThe server can send, schedule, update, cancel, and batch send emails when the configured API key allows it. Treat every outbound email as a production write unless you are using a controlled test recipient.
SafetyCredentials & tokensTools can manage contacts, segments, topics, broadcasts, domains, webhooks, contact properties, API keys, and received emails. Do not expose broad account-management tools to an autonomous agent without human review.
SafetyCredentials & tokensDo not paste real `re_` API keys into prompts, issue comments, screenshots, public MCP configs, shell history, or committed files. Use environment variables or your client's secret handling.
SafetyCredentials & tokensFor stdio mode, the docs use `RESEND_API_KEY` in the launched process environment. For HTTP mode, each client authenticates with a Bearer token in the `Authorization` header.
SafetyGeneralIf reproducibility matters, pin the npm package version after checking the current Resend docs and release metadata instead of relying on the latest `npx -y resend-mcp` package.
SafetyNetwork accessAttachments can be provided from local paths, URLs, or base64 content. Do not allow the assistant to attach arbitrary local files or downloaded content without reviewing file path, size, type, and recipient.
SafetyCredentials & tokensDomain, tracking, TLS, webhook, API-key, and audience changes can affect deliverability, compliance, and production email behavior. Require explicit human approval for those operations.
PrivacyCredentials & tokensReceived emails and attachments can include customer support requests, order confirmations, account details, personal data, credentials, invoices, contracts, or regulated information.
PrivacyNetwork accessOutbound email drafts can leak private customer data if generated from tickets, Slack messages, databases, logs, or other MCP servers without a data-sharing review.
PrivacyPermissions & scopesMCP client transcripts, terminal logs, debug output, shell history, AI provider logs, screenshots, and issue reports may retain email content or recipient data outside Resend's access controls.
PrivacyGeneralKeep marketing audiences, segments, broadcast lists, custom properties, and suppression/unsubscribe data out of prompts unless the workflow owner approved the data handling.
PrivacyGeneralUse synthetic recipients, test domains, and non-production content for demos, screenshots, validation, and AI-assisted troubleshooting.
Safety notes
Resend MCP is an executable npm package launched with `npx`, not a HeyClaude-hosted package. Review the official repository and npm package metadata before running it in privileged environments.
The server can send, schedule, update, cancel, and batch send emails when the configured API key allows it. Treat every outbound email as a production write unless you are using a controlled test recipient.
Tools can manage contacts, segments, topics, broadcasts, domains, webhooks, contact properties, API keys, and received emails. Do not expose broad account-management tools to an autonomous agent without human review.
Do not paste real `re_` API keys into prompts, issue comments, screenshots, public MCP configs, shell history, or committed files. Use environment variables or your client's secret handling.
For stdio mode, the docs use `RESEND_API_KEY` in the launched process environment. For HTTP mode, each client authenticates with a Bearer token in the `Authorization` header.
If reproducibility matters, pin the npm package version after checking the current Resend docs and release metadata instead of relying on the latest `npx -y resend-mcp` package.
Attachments can be provided from local paths, URLs, or base64 content. Do not allow the assistant to attach arbitrary local files or downloaded content without reviewing file path, size, type, and recipient.
Domain, tracking, TLS, webhook, API-key, and audience changes can affect deliverability, compliance, and production email behavior. Require explicit human approval for those operations.
Received emails and attachments can include customer support requests, order confirmations, account details, personal data, credentials, invoices, contracts, or regulated information.
Outbound email drafts can leak private customer data if generated from tickets, Slack messages, databases, logs, or other MCP servers without a data-sharing review.
MCP client transcripts, terminal logs, debug output, shell history, AI provider logs, screenshots, and issue reports may retain email content or recipient data outside Resend's access controls.
Keep marketing audiences, segments, broadcast lists, custom properties, and suppression/unsubscribe data out of prompts unless the workflow owner approved the data handling.
Use synthetic recipients, test domains, and non-production content for demos, screenshots, validation, and AI-assisted troubleshooting.
Prerequisites
Resend account with permission to create API keys and access the email resources the assistant should manage.
Verified sending domain or subdomain for production email workflows.
Resend API key scoped to the least privilege that covers the intended MCP tools.
MCP-capable client such as Claude Code, Codex, Cursor, Claude Desktop, Copilot, Gemini CLI, OpenCode, Windsurf, Devin, or another compatible client.
Sender address, reply-to address, topic/subscription policy, and audience-management rules before enabling contact, broadcast, or campaign workflows.
Human approval policy for sending email, batch email, broadcasts, contact changes, domain configuration, API-key changes, webhook changes, and attachment handling.
Test recipients, sandbox workflows, or non-production domains for validation before sending to real customers.
Resend MCP Server is Resend's official Model Context Protocol server for
connecting AI clients to Resend email infrastructure. It lets Claude and other
MCP-capable tools send email, inspect received messages, manage contacts,
create and schedule broadcasts, configure domains, manage segments and topics,
handle contact properties, work with API keys, and manage webhooks through a
single MCP integration.
The Resend docs describe two supported transport modes:
Stdio transport, launched locally with npx -y resend-mcp.
Streamable HTTP transport, started locally with npx -y resend-mcp --http
and exposed at /mcp.
Start with stdio transport and a narrow Resend API key for local assistant
workflows. Use HTTP mode only when you have reviewed how clients will pass
Bearer tokens, where the local server listens, and who can reach it.
These sources were reviewed on 2026-06-04. Prefer the live Resend docs and
official repository over model memory for supported clients, transport modes,
tool coverage, package commands, environment variables, HTTP headers, and local
development instructions.
Features
Official Resend MCP server published by Resend.
Local stdio transport using npx -y resend-mcp.
Streamable HTTP mode using npx -y resend-mcp --http --port 3000.
Streamable HTTP endpoint exposed at /mcp on the configured local port in
documented HTTP mode.
Stdio support for Claude Code, Codex, Cursor, Claude Desktop, Copilot,
Gemini CLI, OpenCode, Windsurf, Devin, and other MCP clients.
Email tools for sending, listing, retrieving, cancelling, updating, and batch
sending messages.
Email support for HTML, plain text, attachments, CC, BCC, reply-to,
scheduling, tags, and topic-based sending.
Received email tools for listing and reading inbound email and downloading
received email attachments.
Contact, segment, topic, and contact-property tools for audience management.
Broadcast tools for creating, sending, scheduling, listing, updating, and
removing campaigns.
Domain tools for creating, listing, verifying, updating, and removing sender
domains, plus tracking and TLS configuration.
API-key and webhook tools for managing integration credentials and event
notifications when the configured Resend key allows it.
Use Cases
Draft and send transactional emails from a controlled sender after a human
approves recipients, subject, body, and attachments.
Ask Claude to inspect delivery state or retrieve a known sent email by ID
during support triage.
Process inbound support or notification emails in a limited mailbox workflow.
Create a draft broadcast campaign from approved copy and wait for human
review before sending or scheduling.
Update contacts, segments, or topics for a tightly scoped audience operation.
Verify a domain or review sending-domain configuration before a launch.
Create or update Resend webhooks after a human confirms the target endpoint,
events, and signing/verification plan.
Installation
Claude Code
Create a Resend API key with the minimum permissions needed, then add the MCP
server with stdio transport:
claude mcp add resend -e RESEND_API_KEY=re_xxxxxxxxx -- npx -y resend-mcp
Optionally provide a default sender from a verified domain:
Connect a supported client to the local /mcp endpoint with a Bearer token
using that client's configuration UI. Only expose this local HTTP endpoint to
trusted clients. Do not bind it to a public interface or tunnel it without a
security review.
Start with a narrowly scoped Resend API key and rotate it if it appears in a
prompt, shell history, screenshot, transcript, or repository file.
Prefer a verified subdomain for agent-driven workflows so deliverability and
reputation are isolated from primary mail domains.
Require draft-first workflows for real recipients. The assistant should show
recipients, subject, body, sender, reply-to, tags, schedule, and attachments
before any send call.
Treat broadcasts, contact updates, segment changes, topic changes, domain
changes, API-key changes, and webhook changes as production configuration
writes.
Never let the assistant attach arbitrary local files. Review attachment paths,
URLs, sizes, MIME types, and customer data before sending.
Keep unsubscribe, topic, audience, and suppression data consistent with the
product's email policy and consent records.
Do not combine Resend MCP with broad Slack, database, filesystem, browser, or
ticketing MCP access unless the data flow from source system to outbound
email has been reviewed.
Troubleshooting
Authentication fails: confirm the API key is valid, not revoked, and
available to the launched process as RESEND_API_KEY or to HTTP clients as a
Bearer token.
Sender is rejected: verify the sending domain or subdomain in Resend and
confirm the from address matches that domain.
Email reaches the wrong recipient: stop the workflow, rotate any exposed
test data, and require explicit recipient review before retrying.
HTTP client cannot connect: verify resend-mcp --http is running,
listening on the expected port, and that the client URL ends in /mcp.
Attachment sends unexpected data: disable attachment use for the workflow,
review the file path or URL, and re-run with synthetic files first.
Broadcast or contact tools are too broad: use a narrower API key, remove
unnecessary tools from the workflow, and require human approval for audience
mutations.
Duplicate Check
No existing upstream content file uses the resend-mcp-server slug,
resend-mcp package name, Resend MCP documentation URL, Resend MCP changelog
URL, or resend/resend-mcp repository URL.
Existing Resend mentions are incidental references in broader Supabase,
zero-budget SaaS, and Authsome content. They remain distinct because this
entry covers Resend's official MCP server, transports, package, tool groups,
setup commands, and email-specific safety/privacy review.
Editorial Disclosure
Resend is a commercial email platform, but this listing is not sponsored, paid,
affiliate-backed, or submitted by Resend. Use Resend's current docs, package
metadata, account permissions, API-key scopes, deliverability rules, and email
policy as the source of truth before connecting real email workflows to any AI
client.
Show that Resend MCP Server for Claude is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/mcp/resend-mcp-server)
How it compares
Resend MCP Server for Claude side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
1 trust signal differ across this comparison (Submitter).
Official Resend MCP server for giving Claude and other MCP clients controlled access to email sending, received email, contacts, broadcasts, domains, segments, topics, API keys, and webhooks through stdio or Streamable HTTP.
Connect Claude to Postmark — send transactional email, manage templates, search messages, and diagnose delivery, bounces, and suppressions — with the official ActiveCampaign Postmark MCP server.
Built-in Streamable HTTP MCP server for Dagu that lets AI agents read workflow state, inspect DAG specs and logs, preview or apply workflow changes, and start, enqueue, retry, or stop DAG runs.
Apache-2.0 agentic proxy that can expose stdio, HTTP, SSE, and Streamable HTTP MCP servers through a managed gateway with federation, OAuth/JWT authentication, RBAC/CEL policy, CORS, TLS, observability, and Kubernetes Gateway API support.
✓Resend MCP is an executable npm package launched with `npx`, not a HeyClaude-hosted package. Review the official repository and npm package metadata before running it in privileged environments.
The server can send, schedule, update, cancel, and batch send emails when the configured API key allows it. Treat every outbound email as a production write unless you are using a controlled test recipient.
Tools can manage contacts, segments, topics, broadcasts, domains, webhooks, contact properties, API keys, and received emails. Do not expose broad account-management tools to an autonomous agent without human review.
Do not paste real `re_` API keys into prompts, issue comments, screenshots, public MCP configs, shell history, or committed files. Use environment variables or your client's secret handling.
For stdio mode, the docs use `RESEND_API_KEY` in the launched process environment. For HTTP mode, each client authenticates with a Bearer token in the `Authorization` header.
If reproducibility matters, pin the npm package version after checking the current Resend docs and release metadata instead of relying on the latest `npx -y resend-mcp` package.
Attachments can be provided from local paths, URLs, or base64 content. Do not allow the assistant to attach arbitrary local files or downloaded content without reviewing file path, size, type, and recipient.
Domain, tracking, TLS, webhook, API-key, and audience changes can affect deliverability, compliance, and production email behavior. Require explicit human approval for those operations.
✓Send tools dispatch real transactional email; restrict the server token and confirm recipients before sending through Claude.
Template, webhook, and suppression tools change live Postmark configuration; review before running them.
✓Dagu is a workflow engine; MCP access can expose shell commands, Docker containers, Kubernetes Jobs, SSH commands, SQL queries, HTTP calls, agent harnesses, and other workflow steps.
The MCP server registers `dagu_change` and `dagu_execute` as destructive-capable tools, so require preview/review before applying DAG changes or starting/stopping production runs.
API keys can be scoped to the MCP surface; avoid reusing broad admin credentials for agent access.
Workflow edits may change schedules, parameters, retries, secrets usage, queues, resource limits, notifications, and downstream infrastructure actions.
Keep the Dagu server and MCP endpoint behind trusted network boundaries, TLS, and authentication for shared or remote deployments.
✓Agentgateway can aggregate and expose many downstream MCP targets through one endpoint; every target's permissions become part of the gateway surface.
Stdio targets are spawned by the gateway process, so commands such as package runners or containers inherit the gateway host's trust boundary.
Demo configs use permissive CORS and local authorization servers; lock down origins, headers, issuers, audiences, JWKS, and resource metadata before production use.
CEL/RBAC policies can inspect MCP tool names, arguments, results, prompts, resources, request bodies, JWT claims, API keys, and backend metadata; test policies before relying on them.
Remote MCP proxying, OAuth provider adaptation, Kubernetes routing, TLS termination, and guardrails are infrastructure changes that should go through normal security review.
Privacy notes
✓Tool results and prompts can expose email addresses, names, recipient lists, message bodies, subject lines, attachments, contact properties, segments, topics, unsubscribe state, domain names, webhook URLs, logs, and inbound email content.
Received emails and attachments can include customer support requests, order confirmations, account details, personal data, credentials, invoices, contracts, or regulated information.
Outbound email drafts can leak private customer data if generated from tickets, Slack messages, databases, logs, or other MCP servers without a data-sharing review.
MCP client transcripts, terminal logs, debug output, shell history, AI provider logs, screenshots, and issue reports may retain email content or recipient data outside Resend's access controls.
Keep marketing audiences, segments, broadcast lists, custom properties, and suppression/unsubscribe data out of prompts unless the workflow owner approved the data handling.
Use synthetic recipients, test domains, and non-production content for demos, screenshots, validation, and AI-assisted troubleshooting.
✓Email content, recipient addresses, message search results, and delivery stats enter the MCP client context and the model's prompt.
The POSTMARK_SERVER_TOKEN is a secret — keep it in the client config or environment, never in shared repositories.
✓DAG specs, run parameters, logs, documents, audit records, secrets references, API keys, environment variables, and workflow outputs may be exposed to the MCP client.
Workflow logs can contain credentials, customer data, internal hostnames, database query results, command output, file paths, or incident context.
Dagu stores state locally by default and can also run distributed workers; review where DAG files, logs, audit entries, and secrets are persisted.
Any workflow state returned through the MCP client may be sent onward to the configured model provider.
✓MCP requests, tool arguments, tool results, prompt names, resource names, session IDs, JWT/API-key claims, raw request/response bodies, logs, traces, and telemetry may pass through the gateway.
CEL policy and observability features may buffer or inspect request and response bodies depending on configuration.
OAuth/JWT metadata, bearer tokens, API keys, DCR secrets, Keycloak/Auth0/Okta settings, and upstream MCP credentials must be protected as secrets.
Any data returned by downstream MCP tools can still be sent onward by the MCP client to the configured model provider.
Prerequisites
Resend account with permission to create API keys and access the email resources the assistant should manage.
Verified sending domain or subdomain for production email workflows.
Resend API key scoped to the least privilege that covers the intended MCP tools.
MCP-capable client such as Claude Code, Codex, Cursor, Claude Desktop, Copilot, Gemini CLI, OpenCode, Windsurf, Devin, or another compatible client.
A Postmark account and a server API token (POSTMARK_SERVER_TOKEN).
A verified sender signature/email (DEFAULT_SENDER_EMAIL) and a message stream (DEFAULT_MESSAGE_STREAM).
Node.js to clone and run the server.
An MCP client such as Claude Code or Claude Desktop.
Dagu installed from Homebrew, GitHub Releases, npm, Docker/GHCR, Helm, or another upstream-supported installation path.
A running Dagu HTTP server with the built-in MCP endpoint enabled through the normal server path.
MCP client that supports Streamable HTTP server configuration.
API key with MCP surface access when Dagu authentication is enabled.
Agentgateway binary, container image, or source checkout from the upstream release/container/docs path.
At least one downstream MCP target, such as a stdio command, remote MCP server, SSE server, or Streamable HTTP server.
MCP client that can connect to the exposed Streamable HTTP or SSE route.
Auth, CORS, TLS, route, and policy configuration reviewed before shared or remote exposure.
Install
claude mcp add resend -e RESEND_API_KEY=re_xxxxxxxxx -- npx -y resend-mcp
git clone https://github.com/ActiveCampaign/postmark-mcp && cd postmark-mcp && npm install