UK SaaS onboarding email sequence on Resend + React Email: a 2026 walkthrough
Key Takeaways
- Transactional and marketing emails are different legal footings under UK law - keep them on separate Resend sends and separate lists.
- PECR soft opt-in is the default legal basis for marketing to paying customers and trial sign-ups - no separate tick-box is required if similar products and an unsubscribe are in place.
- Send on Tuesday-Thursday 09:30-11:00 and 15:00-17:00 UK time for best open rates with UK audiences.
- First email ships in 10 minutes with Resend + React Email + a Server Action - DKIM/SPF/DMARC must already be configured on the domain.
- Every marketing email needs unsubscribe, sender identity, and a UK business address in the footer to meet PECR requirements.
Every US SaaS onboarding guide in 2026 is built on the same foundation: seven emails over 14 days, with a welcome, feature highlights, activation nudges, and a social-proof section. That is the right shape. It is also the wrong compliance framing for a UK SaaS.
This is the UK-native walkthrough. Seven-email sequence. Resend + React Email on Next.js. UK compliance (ICO soft opt-in, PECR, DUA Act 2025) baked into each email. UK-hour send scheduling. Stripe GB billing email samples. TypeScript/TSX snippets throughout. Copy-paste ready for an indie SaaS shipping this weekend.
Prerequisite: your domain has SPF, DKIM, and DMARC configured (walk-through in .co.uk for UK indie hackers). Resend is verified. You have a sign-up flow that captures email plus consent. Let's go.
The single most important UK email rule
Transactional and marketing are different legal footings. Never send them on the same basis.
- Transactional (welcome, receipts, password resets, activation nudges, usage notifications) can go to any user who signed up. No consent tick-box needed. Legal basis: contract performance under UK GDPR.
- Marketing (new-feature announcements, upgrade prompts, newsletters) needs either explicit consent or PECR soft opt-in. Unsubscribe link mandatory. Sender identity mandatory. UK business address mandatory.
The practical implication: transactional emails go through the Resend API directly. Marketing emails go through Resend Audiences (separate list, separate unsubscribe mechanics). Never blur the two.
The seven-email sequence
Each email is numbered, timed, legally footed, and paired with a React Email TSX snippet.
Email 1 - Welcome + quick start (send T+0, transactional)
Purpose: confirm sign-up, get them to first meaningful action. Legal basis: contract performance (UK GDPR Art. 6(1)(b)). UK-hour timing: send immediately on sign-up - no delay queue needed for this one.
// emails/welcome.tsx
import { Html, Head, Body, Container, Heading, Text, Button, Link } from '@react-email/components';
export default function Welcome({ firstName, ctaUrl }: { firstName: string; ctaUrl: string }) {
return (
<Html>
<Head />
<Body style={{ fontFamily: 'system-ui, sans-serif', padding: 24 }}>
<Container style={{ maxWidth: 520 }}>
<Heading as="h1">Welcome, {firstName}.</Heading>
<Text>You are in. Your account is live and you can start using [product] right now.</Text>
<Text>The single next step that gets you value fastest: [one-line action].</Text>
<Button href={ctaUrl} style={{ backgroundColor: '#111', color: '#fff', padding: '12px 20px', borderRadius: 6 }}>
[CTA text]
</Button>
<Text>If something is not working, reply to this email - I read every one.</Text>
<Text>Tim</Text>
<Text style={{ fontSize: 12, color: '#666', marginTop: 32 }}>
[Your Company Name] Ltd, [UK registered office address], UK.<br />
ICO registered: [ICO number].<br />
<Link href="https://yoursite.co.uk/privacy">Privacy policy</Link>
</Text>
</Container>
</Body>
</Html>
);
}
API call:
import { Resend } from 'resend';
import Welcome from '@/emails/welcome';
const resend = new Resend(process.env.RESEND_API_KEY);
await resend.emails.send({
from: 'Tim <tim@yoursite.co.uk>',
to: user.email,
subject: `Welcome to ${productName}`,
react: <Welcome firstName={user.firstName} ctaUrl={`https://yoursite.co.uk/start?uid=${user.id}`} />,
});
Email 2 - First feature (send T+24h, transactional)
Purpose: if they have not activated yet, guide them to the most valuable feature. Legal basis: contract performance. UK-hour timing: send at 10:00 UK time the day after sign-up (not 24h exactly - the UK-hour slot matters more than the exact delay).
Tone: direct, personal, one specific action. Not a feature tour.
Email 3 - Activation nudge (send T+48h, transactional, behaviour-gated)
Purpose: if they have not completed the core action (defined by your product), one gentle prompt.
Legal basis: contract performance.
Condition: only send if user.activated_at === null.
UK-hour timing: 15:00 UK time on day 3.
Example gate in TypeScript:
const user = await getUser(uid);
if (user.activated_at) return; // skip - they are in
await resend.emails.send({
from: 'Tim <tim@yoursite.co.uk>',
to: user.email,
subject: `Quick nudge on ${productName}`,
react: <ActivationNudge firstName={user.firstName} ctaUrl={`https://yoursite.co.uk/start?uid=${user.id}`} />,
});
Email 4 - Social proof + reference customer (send T+5 days, soft-opt-in-transactional)
Purpose: introduce a short reference case to build confidence. Legal basis: transactional-adjacent. The product is still in the activation window so contract performance applies, but you are starting to soft-transition to marketing content. PECR soft opt-in covers this safely. UK-hour timing: Tuesday-Thursday 15:00 UK time.
One paragraph of customer context, one quote, one link. Never more.
Email 5 - Feedback check-in (send T+7 days, transactional)
Purpose: invite a reply, not a tick-box survey. Legal basis: contract performance. UK-hour timing: Wednesday 10:00 UK time (highest UK reply rate in SaaS data).
Copy that works:
How is it going with [product]? I am building it in public and your feedback - good, bad, or indifferent - shapes the next version. Reply to this email if you have a moment. I read every reply.
That email should arrive from a person, not a noreply@ address. Reply-to tim@. The reply rate on this email is the single best signal of whether your onboarding is working.
Email 6 - Broadcast announcement (send T+14 days, marketing)
Purpose: first genuinely marketing-framed email. A new feature, a new tier, a new integration. Legal basis: PECR soft opt-in (user gave email in the course of a paid or trial sign-up; content is related product/service; unsubscribe present). UK-hour timing: Thursday 10:00 UK time.
This email MUST have:
- Unsubscribe link (Resend Audiences handles automatically).
- Sender identity (your legal name).
- UK business registered office address in the footer.
- ICO number if you have one.
Switch from Resend API direct to Resend Audiences at this point.
await resend.broadcasts.create({
audienceId: process.env.RESEND_MARKETING_AUDIENCE_ID,
from: 'Tim <tim@yoursite.co.uk>',
subject: `New: ${featureName}`,
react: <FeatureAnnouncement featureName={featureName} ctaUrl="https://yoursite.co.uk/feature-x" />,
});
await resend.broadcasts.send({
id: createdBroadcast.id,
scheduledAt: '2026-04-30T09:00:00Z', // 10:00 UK time (BST)
});
Email 7 - Upgrade prompt (send T+30 days, marketing)
Purpose: if the user is on a free or trial tier, invite them to upgrade. Legal basis: PECR soft opt-in. UK-hour timing: Wednesday 15:00 UK time.
Short, specific, data-backed. What they have used, what a paid tier unlocks, one clear CTA to upgrade. GBP pricing. VAT note if relevant.
Stripe GB billing email examples
Three automated billing emails you should set up in Resend alongside Stripe webhooks.
Payment succeeded
Triggered by invoice.payment_succeeded webhook. Sent immediately. Transactional.
Key fields: GBP amount, VAT breakdown if applicable, invoice PDF link, next billing date.
Payment failed
Triggered by invoice.payment_failed. Sent immediately with a calm "let us fix this" tone. Transactional.
Include: what failed, how to update the card, a direct link to the Stripe Customer Portal, your reply-to email for help.
Subscription cancelled
Triggered by customer.subscription.deleted. Sent immediately. Transactional.
Include: confirmation of cancellation, the access-until date, a "come back anytime" link, a one-line request for honest feedback.
All three use Resend API direct (transactional), never Audiences. UK business address in the footer.
UK compliance checklist
A one-page audit before you ship the sequence.
- Sign-up page captures email and displays a privacy policy link.
- Privacy policy states: data you collect, why, how long you keep it, ICO number, your UK registered office.
- Domain has SPF, DKIM, DMARC (start DMARC at
p=none). - Resend is verified for your domain.
- Transactional API sends go to individual addresses with
react:template. - Marketing sends go through Resend Audiences with unsubscribe mechanics.
- Every marketing email has: unsubscribe link, sender identity, UK business address.
- Every transactional email has: your UK business address (lighter footer, but still present), privacy-policy link, reply-to person.
- DUA Act analytics check: if you use tracking pixels or link rewriting, your main analytics stack is exempt (Plausible, Vercel Analytics, or Umami self-hosted).
- UK-hour send scheduling is configured (delay queue or Resend scheduledAt).
Ten items, all achievable in one afternoon. The entire sequence ships in a day.
Five failure modes
1. Mixing transactional and marketing sends
Sending a "new feature" announcement through the transactional API bypasses unsubscribe mechanics. Even if the user signed up recently, PECR requires marketing emails have an unsubscribe link. Separate endpoint, separate list, always.
2. Using noreply@ for the feedback email
Email 5 asks for a reply. A noreply@ address breaks the ask and kills reply rate. Always reply-to the founder email.
3. Sending at 3am UK time "because the delay queue ran"
UK customers see the send timestamp. 3am sends read as spam even if the content is not. Always schedule to the next UK-hour window, not the raw T+X delay.
4. Forgetting the UK business address in the footer
PECR and UK GDPR both require sender identification. A missing UK address on a marketing email is a breach. Also loses trust with sophisticated UK buyers who scroll to the footer.
5. Writing in US tone
"Crushing it with our new feature!" to a UK audience reads as noise. "New feature this week. Short guide below. Let me know what you think." reads as credible. Match the tone to the audience.
30-minute ship checklist
- Install
resendand@react-email/components(pnpm add resend @react-email/components). - Create
emails/welcome.tsx,emails/activation-nudge.tsx, etc. (snippets above). - Add
RESEND_API_KEYandRESEND_MARKETING_AUDIENCE_IDto.env.localand Vercel. - Wire the welcome send into your sign-up Server Action.
- Set up a cron or delay queue for Emails 2-7 (Vercel Cron or Inngest).
- Add Stripe webhooks for payment-succeeded, payment-failed, subscription-cancelled.
- Create a Resend Audience for marketing and save the ID.
- Wire the broadcast pipeline for Emails 6-7.
- Send a test from your dev account; check DMARC headers in Gmail.
- Ship.
Frequently Asked Questions
What is the PECR soft opt-in and why does it matter for my SaaS?
PECR reg 22(3) lets you send marketing emails to someone who has given you their address in the course of negotiating a sale or a subscription, as long as the emails are about similar products or services and every message has a clear unsubscribe link. For a UK SaaS, that means a paying customer can be emailed about new features, pricing tiers, or the next product - without a separate marketing-opt-in tick-box - as long as the unsubscribe link works and the content is adjacent. A free trial sign-up also qualifies if the user was negotiating a purchase. Confirm the soft-opt-in basis in your privacy policy, keep the unsubscribe link in every marketing email, and honour unsubscribes within 72 hours. That is the entire rule. It gives UK indie hackers more freedom than most US-focused guides suggest.
Can I track opens and clicks in a transactional email without a cookie banner under DUA Act 2025?
Open tracking uses a 1x1 pixel hosted on your domain, which under DUA Act 2025 counts as a first-party tracker doing statistical measurement - exempt from the cookie banner requirement if your overall site uses exempt-only analytics. Click tracking via link rewriting is a server-side redirect, not a client-side cookie, and carries no banner implications. Practical answer: you can track opens and clicks in transactional email on a UK SaaS that uses Plausible, Vercel Analytics, or Umami self-hosted - all exempt under DUA Act. You cannot track with GA4 analytics pings inside email without banner-captured consent, because GA4 is not exempt. The full decision tree is in [the DUA Act cookie exemption deep-dive](/blog/dua-act-cookie-exemption-uk-saas-2026).
What time should I send onboarding emails to UK customers?
Two UK windows consistently outperform others for SaaS: Tuesday to Thursday, 09:30-11:00 and 15:00-17:00 UK time. Tuesday-Thursday avoids the Monday-morning inbox flood and the Friday disengagement. 09:30 catches the morning commute/coffee moment. 15:00-17:00 catches the post-lunch lull. Avoid Monday mornings (worst open rates in UK B2B data), Friday afternoons (lowest engagement), and anything between 22:00 and 07:00 (sends land but reads happen hours later, and the 'sent at 3am' look erodes trust). For time-zone-free send logic, schedule by the recipient's sign-up time stamp shifted to the next UK business-hour slot - React Email and Resend both support this through delay queues.
Do I need a separate marketing list in Resend Audiences or can I send everything from one list?
Separate lists, always. Transactional emails (welcome, receipts, password resets, activation) go through the Resend API directly without a list. Marketing emails (announcements, new-feature broadcasts, upgrade prompts) go through Resend Audiences with explicit list membership. The reason is partly technical (you want transactional emails to bypass list-based send limits and rate limits) and partly compliance (unsubscribes from marketing should not unsubscribe from transactional, and vice versa). The practical split: a transactional API call for anything a paying customer needs for the product to work; an Audiences list for anything promotional, educational, or conversion-focused. Audiences also handles unsubscribe mechanics automatically, which is a PECR requirement for marketing.
How do I handle GDPR Article 14 disclosure when sending onboarding emails?
Article 14 applies when you collect personal data indirectly. For onboarding emails to customers who gave you their address at sign-up, Article 13 applies instead - direct collection - and the disclosure is usually handled in your sign-up page privacy notice or a short privacy policy link in the first welcome email. Keep the welcome email's footer tidy: your legal name, UK business address, ICO number, link to the full privacy policy. If you are emailing people whose addresses you acquired indirectly (e.g. imported from a CSV), Article 14 requires a separate data-provenance statement within the first email - you would not usually use that pattern for indie-hacker SaaS onboarding. Stick to direct-consent sign-up and Article 13, and the disclosure burden is light.
Topics
