Use a custom domain for Authentication emails

If you use a custom domain in your project, consider also using your custom domain in the emails sent for authentication events, such as email verification, address change, and password recovery flows. You can configure your project to use your custom domain in the emails' From field and action links.

By configuring custom domains for authentication emails, users will see the same domain for your web address and the user management emails.

There are broadly two steps to setting this up:

  • Add the domain to your email templates in the Firebase console.
  • Verify your domain by adding DNS records in your domain registar.

Adding the domain to your email templates

  1. In the Firebase console, open the Templates page of the Authentication section.

  2. For each email template, do the following:

    1. Click the edit icon ().
    2. Click customize domain.
    3. Enter the domain you want to use.

You'll then see a table of DNS records to add to your domain registrar to verify that you own the domain.

Verify the domain

Add or update the TXT and CNAME DNS records given in the Firebase console. The procedure for doing so depends on the registrar.

You can have only one v=spf1... TXT record for a particular domain. If you need to specify multiple email addresses, combine them into one record.

It can take up to 24 hours for the domain to be verified. When it is, the Templates page in the Firebase console will show a green "Verification complete" message. Then, you can click the Apply Custom Domain button to put your changes into effect.

Multi-tenant projects

If you have upgraded to Firebase Authentication with Identity Platform and enabled multi-tenancy, you need to update the tenant metadata to allow the tenant to inherit custom domains, email templates, and custom SMTP settings. Otherwise, users still receive emails from the default domain even if the custom domain is successfully verified and applied.

You can check if multi-tenancy is enabled by examining the URL included in Auth email messages. If the URL includes a tenant parameter, you need to update your project's tenant metadata.

To do so, run the following command:

curl -X PATCH -d "{'inheritance':{'emailSendingConfig': true}}" \
  -H "X-Goog-User-Project: PROJECT_ID"                          \
  -H "Authorization: Bearer $(gcloud auth print-access-token)"  \
  -H 'Content-Type:application/json'                            \
  https://identitytoolkit.googleapis.com/v2/projects/PROJECT_ID/tenants/TENANT_ID?updateMask=inheritance.emailSendingConfig