Best practices for building password reset flow without third-party email/SMS services

Hi everyone,
I’m building a secure admin panel and want to implement a password reset flow that avoids third-party services (like SendGrid, Mailgun, Twilio, etc.) for privacy and full control.

I’m looking for:

  1. Best practices for sending password reset emails/SMS from a self-hosted system
  2. Recommendations for email servers, SMS gateways, and Python libraries for token generation and validation
  3. Security considerations (token expiry, replay protection, etc.)

I’m currently using [Flask / FastAPI]. The database is MySQL.
Has anyone done something similar in a production environment? What would you recommend in terms of tools and architecture?
Thanks!

1 Like

Sending e-mail on your own is hard, often impossible. Various signals are used for spam protection. Your server’s IP address probably belonged to some spammer, so your e-mails will land in the spam folder as well. Even if you follow all the best practices, set up SPF, DKIM, whatever. At a very small scale, using a regular human e-mail account will work, but you might get banned for spam if it grows.

SMS is even harder to do on your own. You need a modem and a SIM card, and the carrier might not be happy if you send too much.

Just use an established service.