When rotating API keys, always use the key the client used to authenticate to Mailgun in signing webhooks. The issue is that when a new key gets generated usually we cannot update it everywhere immediately so we use the old key for a period of time, but Mailgun starts signing webhook calls immediately with the new API key resulting in invalid signatures and loss of data on our side.