Cloud-IAM | DOCS

Appearance

Send Email via Keycloak (SMTP) โ€‹

Overview โ€‹

Keycloak has the capacity to send emails on certain user events (registration validation, reset credentials, usage alerts for example). This is really suitable to create a nice and smooth workflow to welcome and help the registered users.

Managed Keycloak Context โ€‹

Cloud-IAM does not include a built-in SMTP relay service. This is because the deliverability of emails depends heavily on the reputation of the sending IP address. If multiple customers shared the same IP, issues such as blacklisting or spam filtering could occur, which might affect the reliability of your service.

To ensure the best results, Cloud-IAM recommends using your own dedicated SMTP server or a trusted third-party email provider (e.g., Gmail, Microsoft 365, Brevo, SendGrid, Amazon SES).

If youโ€™d like to secure communication between your Cloud-IAM deployment and your SMTP server, you can:

  • Use an allowlist to restrict access.
  • Add the gateway public IP of your Cloud-IAM deployment to the allowlist of your SMTP server.

VPN Usage

For SMTP connections, Cloud-IAM generally advises against using a VPN.
VPN links can be difficult to keep consistently stable, harder to monitor effectively, and often introduce extra complexity without improving reliability.

Use Case โ€‹

IAM โ€‹

SMTP ensures that internal and external users receive essential identity-related communications, such as password reset emails, MFA setup links, or login alerts.

CIAM โ€‹

For customer-facing applications, SMTP is critical for account verification and secure onboarding.

Pros & Cons โ€‹

Pros โ€‹

  • Smooth Onboarding Experience: Users immediately receive confirmation and welcome emails, making account creation seamless.
  • Self-Service Recovery: Password reset emails empower users to regain access without needing admin intervention.
  • Trust & Professionalism: Branded transactional emails reassure users that messages come from a legitimate, trusted source.
  • Clear Communication: Users are promptly informed about security events (e.g., password changes, suspicious activity).

Cons โ€‹

  • Email Dependency: If users lose access to their email account or the email service is down, they cannot complete registration or recover credentials.
  • Delivery Issues: Emails may land in spam folders or be delayed, which can frustrate users during critical flows like Signup or login recovery.
  • Dependency on External Factors: SMTP relies on external communication channels (like email providers), which can introduce delays, downtime, or failures outside your direct control.
  • Overload & Fatigue: Too many system emails (e.g., repeated alerts) may cause users to ignore or overlook important messages.

Supported by Keycloak โ€‹

Yes, natively supported and configurable on Managed Keycloak by Cloud-IAM.

Configuration โ€‹

How to Configure SMTP on a Keycloak Realm โ€‹

This step-by-step guide explains how to configure SMTP in Keycloak to enable email notifications, such as registration validation, password resets, and usage alerts. To achieve this, you must set up Keycloakโ€™s email settings with your preferred email service provider.

In this example, weโ€™ll use Googleโ€™s SMTP server, but the same process applies if you use another provider such as Brevo, Resend, Mailchimp, Constant Contact, GetResponse, or ActiveCampaign. You must repeat this configuration for each realm where you want to send emails.

This tutorial does not cover all the necessary security best practices for a complete configuration.

Step 1 - Configure the Email template โ€‹

  1. Login to your Keycloak as an admin
  2. Select the realm to be configured (here : acme-demo)
  3. Navigate to Realm settings then Email.
  4. Register the email sender named From (e.g. no-reply@acme.com).
    • This is the email address displayed to your users.
    • It can differ from the actual sender account used to authenticate.
  5. Register From display name (e.g. NoReply ACME Company )
Keycloak Console - Configure the template
Keycloak Console - Configure the template

Step 2 - Configure Google SMTP provider โ€‹

  1. Open new browser window
  2. Navigate to this google URL to Create and manage your app passwords https://myaccount.google.com/apppasswords
  3. Register your App name (e.g. Keycloak SMPT tutorial)
  4. Click Create to validate the new creation
  5. Copy the App password (youโ€™ll need it in Step 3)
  6. Confirm that the new password appears in your list of App passwords.
Google - App passwords
Google - App passwords

Step 3 - Configure Connection & Authentication โ€‹

  1. Return to Keycloak Email settings window
  2. Enter your SMTP Host (e.g. smtp.gmail.com) and Port:
  • TLS: 587
  • SSL: 465
  1. Active Enable SSL and/or Enable StartTLS
  2. Enable the Authentication toggle.
  3. Register Username (the email address associated with your App Password)
  4. Set Authentication type to Password
  5. Paste the previously created App Password into the password field.
  6. Click Save to confirm your configuration.
Keycloak Console - Configure Connection & Authentication
Keycloak Console - Configure Connection & Authentication

After saving, you can click Test connection, Keycloak will send a test email to confirm your SMTP setup.

Your Keycloak realm can now reliably send emails through your configured SMTP provider.

Resources โ€‹