Hello,

I think it would be interesting (from a stats perspective) if you can provide another API endpoint to get the current stats by domain and credentials.

An example:

Imagine the domain.com has 3 SMTP login:
- postmaster@domain.com
- newsletter@domain.com
- autoresponse@domain.com

Now we can get stats from domain.com (so we can get the domain has sent 300 messages), but we don't know if we have sent these messages using the autoresponse@domain.com account or using newsletter@domain.com or any other account that we can create.

If you can consider this new feature I think will be nice from a Stats and Marketing perspective, to know how the company is in touch with the registered users.

Thanks for your time.

Cheers,

Mailgun provides an excellent service. However, a recent change was made to the API: 400 Bad Request is returned if the address is not valid.

The validation is a deep check that is not commonly performed (in my experience), including checking the domain for a MX record and effective TLD names (using https://publicsuffix.org/list/effective_tld_names.dat).

The issue with this is

1) There are no clear distinction between an invalid API request and invalid content. E.g. you get a 400 bad request if a required parameter is missing and if the email address is invalid

• Currently the documentation states: "Bad Request - Often missing a required parameter" (https://documentation.mailgun.com/en/latest/api-intro.html#errors)

2) The API message (HTTP body) contains no error codes. Which makes it less suitable for containing a vast amount of different poorly related errors

3) Implementation making the request to the API gets mixed with implementation handling bounces and dropped messages

• In my case, we have a stable implementation that uses the API. A bad request is not expected and a serious indication of a breaking change to the API, since the usage of the API is stable

• Now we need to parse strings such as "'to' parameter is not a valid address. please check documentation" to detect problems with the content, even though we also have API hooks established

• The lack of separation of issues is a problem

The suggested solution

a) Accept the message (200 OK from the API)

• Keep the distinction clear: a bad request is only about the API (the abstract meta only) - never about content itself

b) Drop the message immediately and invoke API hooks

• Please note that this is not about "drop immediately or wait and retry"

• The only difference is: how is a immediate drop communicated? It should be communicated via the established API hooks (single channel with single purpose) and not via API response codes "just because the API connection is still active"

• Compare this to suppressions: whether an address is suppressed or not is something known when the API is called. But it's not communicated via a 400 Bad Request or a 418

Finally, quoting RFC 7231 (https://tools.ietf.org/html/rfc7231#section-6.5.1)

"The 400 (Bad Request) status code indicates that the server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing)"

Please keep the layers separated.

Security Feature:

It should be possible to restrict the call types that your API key is able to make in order to reduce the impact of a leaked/breached key.

For example, if my API key is accidentally exposed, an attacker could then go on to exfiltrate data from my account.

If it were possible to lock down your API key so that it can only make certain call types, the impact of such a breach would be drastically reduced.

For example, I could lock down my key so that it is only permitted to add/send emails to a particular mailing list. If the key were to be breached, the attacker would only have limited access, hopefully preventing a full-scale breach.

The Mailgun Plugin for WordPress needs to be updated. https://wordpress.org/plugins/mailgun/ I am a fan of MailGun and want to see you all succeed. Currently there is a warning banner on the WordPress plugin repository saying that the plugin has not been tested with the last 3 major releases of WordPress. This plugin currently has over 90,000 installs - I'm sure many are paying customers.

Also, it would be great to integrate error reporting into the plugin so WordPress is notified when an email fails to send. This way other plugins, such as WP Mail Log, can pick up and report on that error.

When a message is sent to a domain without an MX record (498), mailgun attempts to send the message for up to 8 hours. Each attempt will be recorded as a failed event with severity = "temporary". The reason is set to "generic" for each attempt except the final attempt which is set to "old".

This final attempt failure event should have severity = "permanent" so you can use the Permanent Failure webhook to observe this dropped message.

Currently, you must also use the Temporary Failure webhook and inspect the reason property to see if the temporary failure is effectively a permanently dropped old message.