Mailgun provides an excellent service. However, a recent change was made to the API: 400 Bad Request is returned if the address is not valid.

The validation is a deep check that is not commonly performed (in my experience), including checking the domain for a MX record and effective TLD names (using https://publicsuffix.org/list/effective_tld_names.dat).

The issue with this is

1) There are no clear distinction between an invalid API request and invalid content. E.g. you get a 400 bad request if a required parameter is missing and if the email address is invalid

• Currently the documentation states: "Bad Request - Often missing a required parameter" (https://documentation.mailgun.com/en/latest/api-intro.html#errors)

2) The API message (HTTP body) contains no error codes. Which makes it less suitable for containing a vast amount of different poorly related errors

3) Implementation making the request to the API gets mixed with implementation handling bounces and dropped messages

• In my case, we have a stable implementation that uses the API. A bad request is not expected and a serious indication of a breaking change to the API, since the usage of the API is stable

• Now we need to parse strings such as "'to' parameter is not a valid address. please check documentation" to detect problems with the content, even though we also have API hooks established

• The lack of separation of issues is a problem

The suggested solution

a) Accept the message (200 OK from the API)

• Keep the distinction clear: a bad request is only about the API (the abstract meta only) - never about content itself

b) Drop the message immediately and invoke API hooks

• Please note that this is not about "drop immediately or wait and retry"

• The only difference is: how is a immediate drop communicated? It should be communicated via the established API hooks (single channel with single purpose) and not via API response codes "just because the API connection is still active"

• Compare this to suppressions: whether an address is suppressed or not is something known when the API is called. But it's not communicated via a 400 Bad Request or a 418

Finally, quoting RFC 7231 (https://tools.ietf.org/html/rfc7231#section-6.5.1)

"The 400 (Bad Request) status code indicates that the server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing)"

Please keep the layers separated.

Security Feature:

It should be possible to restrict the call types that your API key is able to make in order to reduce the impact of a leaked/breached key.

For example, if my API key is accidentally exposed, an attacker could then go on to exfiltrate data from my account.

If it were possible to lock down your API key so that it can only make certain call types, the impact of such a breach would be drastically reduced.

For example, I could lock down my key so that it is only permitted to add/send emails to a particular mailing list. If the key were to be breached, the attacker would only have limited access, hopefully preventing a full-scale breach.

Hello,

I think it would be interesting (from a stats perspective) if you can provide another API endpoint to get the current stats by domain and credentials.

An example:

Imagine the domain.com has 3 SMTP login:
- postmaster@domain.com
- newsletter@domain.com
- autoresponse@domain.com

Now we can get stats from domain.com (so we can get the domain has sent 300 messages), but we don't know if we have sent these messages using the autoresponse@domain.com account or using newsletter@domain.com or any other account that we can create.

If you can consider this new feature I think will be nice from a Stats and Marketing perspective, to know how the company is in touch with the registered users.

Thanks for your time.

Cheers,