Be Careful with Mailgun Laravel-ers – Nuked Account

Hi All Laravelers

We have been a loyal mailgun user for forever - and we are not just a little freebie account - we use them and pay them every month, sending around 50k **transactional** emails.

So that's no mass emails, no newsletters, just things like booking confirmations and so on.

We wake a few days ago that something on our account has been compromised and we need contact support. Our account is disabled for a domain in question. Well what they actually mean is that they nuke the whole account

Fine - I get security, we live it here, so in goes the ticket to explain what this account is used for (and like all our accounts, there is no mass emailing, nor has there been) as per their exact requirements, answering all their questions. There was been no compromise on our account (e.g. there hasnt been any unauthorised sending of information) or anything like that we can see.

3 Days on, our account is still disabled - meaning nothing is getting sent.

We havent heard a single thing from them, all the while our customers are in limbo.

So this is a warning to all those who need transactional or other emails - be very careful about using Mailgun. Having a supplier just disable your account with no support methodology to resolve and zero feedback from them is hardly a good place to put your systems and customers.

We are moving everything over to SES, which is fine - but we had no reason to move from mailgun - its been fine. (That said we have noticed how much quicker SES is in getting the email into the inbox!)

As always - with all systems, things are always fine when they are working. But the real test of a great service is when something goes wrong (either on your side or theirs) and how they deal and resolve that. It would appear mailgun fail super hard.

20 thoughts on “Be Careful with Mailgun Laravel-ers – Nuked Account”

  1. Didn’t someone mention a spam / phishing campaign targeting mailgun a while back?

    Something like – Some security thingy happened – Click this link and login to mailgun…

    Pretty sure i’ve even seen some of these in out spam filter…

    Edit: Jup got [a few of them]( in the spam filter.Seems like they are either sent from services that uses Mailgun or spoofed to look like support ticket / notifications from Mailgun.

    Hope you didn’t click any shady URLs…

  2. It’s well worth having more than one email provider set up – DKIM, SPF, API keys, etc. Switch every so often just to test your disaster response readiness; if you can make it so a one-line switch to `MAIL_DRIVER` in `.env` does the trick, it may save you from disruption in the future.

  3. I also use both mailgun and SES mainly for contact-us/confirmation type email. SES is great while I can confirm that mailgun was crap. So bad that it was easier to for me to switch to email server from cpanel type service instead of mailgun. Their shared IP are usually flagged due to spammer. I even bought dedicated IP and that didn’t work out very well either.

    SES is great. We run many websites so we can get spam from attacks. SES have dashboard that tell you your reputation score/percentage. Make sure you stay under or they turn off service. They send you email to warn you pretty early though. To reduce issue, I make sure to validate email and domain before I send out to SES.

  4. We had a similar experience. We were sending well over 50k transactional emails per month through them. Support couldn’t even be bothered to reply to our requests for assistance.

    We had a really good standing with them for years and always maintained a really low bounce rate. Then overnight they locked our account.

    Now we constantly test our live system integrations with multiple providers including SES, Mandrill and Sendgrid. This way we can change at a moments notice.

  5. It feels like all services these days are far too quick to terminate or put your account on hold, without even any dialogue. I’ve had it happen with Facebook, Google & Stripe, all for a legitimate product and service.

    So you get an email and realise essentially your entire website is out of commission and then you have to chase them and justify everything and answer a few questions and then they go, oh, OK, sure, your account is up again. Why not do that first before halting the account?

    Leaves a real sour taste and realisation of how vulnerable you are. As others haver said, it’s well worth building in some redundancy/duplication.

  6. For anybody who doesn’t know, unless you pay for a certain package you only get basic “best efforts” ticket support.

    If you pay for live support you get phone numbers, live chat etc

  7. EXACT same thing happened to us. For 3+ years we had been using Mailgun to send \~30k transactional emails per month (order confirmations, password reminders, etc) and out of the blue they completely disabled our account and it took several days to get it reinstated. They ultimately said one of our sending domains had been compromised but we were never able to get any additional details. And it wasn’t even the sending domain we were using for our transactional emails.

    Luckily I had built an automatic mail service fall back system so that when Mailgun API calls stopped working, our messages were then automatically re-sent via Sendinblue which we had set up as a backup like u/ceejayoz recommends. And now I have another service set up in case Sendinblue fails.

  8. In contrast, I have an account with MailGun and have used them for a long time. Only for transactional emails.

    Multiple times I had an issue where certain email providers weren’t able to receive mail from the mailgun servers. Apparently I was bundled with an IP address that had been blacklisted by a few prominent mail services. They moved me to a new IP and everything was smooth.

    On the positive side, they moved the account and everything worked out.

    On the negative side, this has happened 3 separate times for 3 separate projects. They all moved successfully and within a day or two but still.

    Note : These instances were on the free tier so I’m sure it was lumped in with some bad actors. After proving the mail my applications send were transactional and explaining it they were quick to update.

    Just my two cents!


  9. For those of you that have switched from Mailgun to SES, how do you handle tracking deliveries, opens, clicks, failures etc? We’re sending 7 figure emails per month with a dedicated IP and always have great response times to our support tickets and the service has been great for us. But stories like these make me nervous so I’d like to begin exploring alternatives like SES and Postmark.

  10. I’ve been a fan of SES for years but clients are accustomed to seeing click and open rates which SES doesn’t provide. It’s either on us to embed a pixel of our own or use something else. Most mailers have limits on contacts which is another reason why we’ve mostly been using SES as we have hundreds of thousands of contacts but extremely low mail volume. We normally wouldn’t send more than 200 emails a month, with occasional bursts to 50k once a year. My only real issue(s) with SES is that you have to do all the work yourself which is a pain. And clients expectations of open rates is hard to match to existing services. This summer someone was able to hack our SES credentials and send about 50k emails which all got flagged. We reset everything and AWS support was actually fairly straight forward to deal with.

  11. We actually ended up switching back the other way (from SES to mailgun) a while ago. We don’t send anywhere near 50k emails a month. Probably more like 5k. The biggest thing for us was the mailgun logs but more specifically the delivery reporting. Now if a customer doesn’t get their emails it’s much easier to pinpoint if it was our fault or theirs because we can prove “the email did get delivered”.

  12. Hey, just joining in to say we had almost exactly the same experience with Mailgun. We moved to SES as a result. We’re still not sure how we were compromised.

    Any of you with similar stories, please PM me. It might help if we compare notes.

  13. We’re on a grandfathered Mandrill account since 2015 when, I think, it first released. It’s been great, even after the merge with Mailchimp, but this is a good reminder. I don’t think we’d be able to switch services at the flip of an .env switch either.

  14. You really should cycle your Mail relays if possible! You want to keep the ips warm. It would be real hard to cut over with so many emails on a cold ip.

    Good read! Thanks.

  15. Wow, after 4 days mail gun finally respond

    They are saying one of the accounts / domains was sending out spam.

    Well i just rechecked the logs, and there is no spam – and the volume from that domain is like 8 per day max. And they are obviously transactional and valid

    So they are either complete rubbish or their logs are even worse (which makes you wonder what your paying for)

    I have been asked to change passwords, 2fa (which we already had) – and all our passwords are managed and 50 character randoms (we use Last Pass)

    So now again I have to wait for a response to see if they will unblock, ive started the timer.!!

  16. There really should be package or package extension which deals with this for Laravel.

    While we have the driver to SES / Mailgun, it wouldnt be hard for a package to be written which would allow a couple of DB tables to be created and manage the logging of emails using the SES events, and gives our community a complete solution without the middleman risk of Mailgun

    Im not saying SES is a saint of a service, it isnt – but it is a good simple ‘send and forget and it will most likely arrive’ – so a bit of work and that will be a gold level solution!


Leave a Comment