ActionMailbox Resend

A Rails Engine providing Resend email ingress support for ActionMailbox.

This gem works with any Rails application that uses ActionMailbox. It receives webhooks from Resend's inbound email API, verifies signatures via Svix, reconstructs RFC822 MIME messages (including attachments and inline images), and delivers them to ActionMailbox for processing.

Note: This gem was originally developed to add Resend support to Chatwoot, but it's a general-purpose ActionMailbox ingress that works with any Rails application.

Features

Webhook-based email ingestion via Resend's email receiving API
Cryptographic signature verification using Svix
Full attachment support (regular + inline images)
Data URI to CID conversion for inline images
Email threading support (In-Reply-To, References headers)
SSRF protection with URL allow-listing
Idempotency via webhook deduplication
Request size limits and HTTP timeouts

Installation

Add this line to your application's Gemfile:

gem "actionmailbox-resend"

And then execute:

bundle install

Configuration

Environment Variables

Set the following environment variables:

RESEND_API_KEY=re_xxx           # Your Resend API key
RESEND_WEBHOOK_SECRET=whsec_xxx  # Your Resend webhook signing secret

Mount the Engine

In your config/routes.rb:

Rails.application.routes.draw do
  mount ActionMailbox::Resend::Engine, at: "/rails/action_mailbox/resend"
end

This creates the webhook endpoint at:

POST /rails/action_mailbox/resend/inbound_emails

Resend Setup

Enable Inbound Emails in your Resend dashboard
Configure Email Forwarding to forward emails to your domain
Add Webhook Endpoint: https://your-domain.com/rails/action_mailbox/resend/inbound_emails
Copy Webhook Signing Secret to your RESEND_WEBHOOK_SECRET environment variable

How It Works

Webhook Reception: Resend sends a webhook when an email is received
Signature Verification: The gem verifies the Svix signature to ensure authenticity
Email Fetch: Full email content is fetched from Resend's API (webhooks only contain email IDs)
Attachment Download: Attachments are fetched via a two-step process (metadata → download URL → content)
RFC822 Construction: The JSON email data is converted to a proper RFC822 MIME message
ActionMailbox Delivery: The message is submitted to ActionMailbox for processing

RFC822 Reconstruction

Unlike other email providers that send emails in RFC822 format, Resend provides structured JSON. This gem handles the complex conversion including:

Proper multipart MIME boundaries
Content-Type headers for each part
Content-Transfer-Encoding for attachments
Content-ID for inline images
Data URI to CID reference conversion

Security

Svix Signature Verification: All webhooks are cryptographically verified
SSRF Protection: Attachment downloads are restricted to *.resend.com and *.resend.app domains
Size Limits: 10MB max request size, 25MB max attachment size
Timeout Protection: 5s connection timeout, 10s read timeout
Redirect Blocking: Prevents redirect-based SSRF attacks
Idempotency: 24-hour deduplication via svix-id header

Development

After checking out the repo, run bin/setup to install dependencies. Then, run bundle exec rspec to run the tests.

git clone https://github.com/rcoenen/actionmailbox-resend.git
cd actionmailbox-resend
bin/setup
bundle exec rspec

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/rcoenen/actionmailbox-resend.

License

The gem is available as open source under the terms of the MIT License.