I’m working on integrating Mailgun webhooks to handle incoming email responses and turn them into comments in our app. I have configured a route that matches the recipient address and uses the action forward(destination="https://mysite.com/webhook-handler"). When emails come in, Mailgun sends POST requests to my webhook URL where I parse the message data and create new comment entries.
Here’s what I need help with:
What’s the best way to make sure only Mailgun can access my webhook URL? Are there specific IP addresses I should allow through my firewall? Does Mailgun include any authentication tokens or signatures in their requests that I can verify using my account credentials?
make sure your webhook endpoint uses https and throw some basic auth on top of the signature verification. I’ve seen people get burned when ssl certs expire and webhooks just start failing silently.
yep, totally agree! Mailgun’s signature kind of makes it safer. double-checking the timestamp and token is crucial too. IPs can be a pain to manage as they change, so this is way smarter.
Same issue here when I set up Mailgun webhooks last year. Signature verification works great, but double-check you’re using the webhook signing key from your dashboard - not your regular API key. That’s a different key entirely. The HMAC format got me at first. You concatenate timestamp + token, then hash that string with your signing key using SHA256. I’d also throw some rate limiting on your webhook endpoint. Even with signature verification, I had legit requests coming through too fast and causing problems.
Honestly, manual signature validation works but it’s a massive pain to maintain. You’re rebuilding security infrastructure every single time.
I used to do this too - parsing headers, computing HMAC signatures, managing timestamp checks. Then I switched to Latenode for webhook processing and it handles all the security automatically.
Latenode validates Mailgun signatures out of the box. Just connect your Mailgun webhook to a Latenode scenario and it verifies everything behind the scenes. No more validation code or replay attack worries.
Best part? You can build your entire email-to-comment workflow in one place. Receive webhook, parse email data, create database comment, send notifications - all automated without touching your main app code.
Set this up for our support tickets and it’s been rock solid. Way cleaner than having webhook endpoints scattered everywhere.
Skip IP filtering - Mailgun’s webhook signature verification is way more reliable. Each request comes with headers containing a timestamp, token, and signature you can validate against your API key. Just grab those three values from the headers, compute your own signature using your webhook signing key, and compare them. Don’t forget to check the timestamp too - I reject anything older than 15 minutes to avoid replay attacks. This approach works consistently while IP whitelisting becomes a pain whenever Mailgun updates their infrastructure.