We're experiencing difficulty. Our engineers are on it. Please check status.mailgun.com for real-time updates.

IP Allowlist

Article Preview

    Overview

    Do you feel the need to secure API access to your account? Well so do we! Because of this, we've implemented the IP allowlist settings, where you can specify the IPs that have permission to access the API or SMTP.  When utilizing the IP allowlist, only the IPs you have specified will be able to connect using the API or SMTP. 

    Important Note:
    As of April 2024, we have expanded this functionality to include SMTP connections as well. What this means is that for any IP listed on the IP allowlist, both HTTP API and SMTP connections with proper authentication will be allowed to send messages through your domain(s).

    If you do not want to permit one type of traffic (either HTTP API or SMTP), you will need to remove the respective IP(s) from the IP allowlist. Phrased differently, there is not a means to accept only one type of traffic - while rejecting the other type of traffic - for IPs on the IP allowlist.

     

    Adding an IP to the IP allowlist

    To add an IP to the the IP allowlist, please refer to the below steps.

    1. First, log in to the Mailgun Control Panel (if you have not already done so).
    2. Then, at the top-right corner of the page, click the Profile drop-down menu to expand its list of options.
    3. Next, click the IP Access Management option. Alternatively, you can use this direct link
    4. Click the Add IP addresses button. 
    5. Finally, enter the IP address or CIDR range as well as a description before clicking the Save button.

     

    Troubleshooting issues with the IP allowlist

    Most particularly 1) if your IP allowlist has contained IPs and/or IP ranges prior to April 2024 and 2) you are sending messages using SMTP, you may be encountering errors when attempting to send a message. If so, these errors are likely related to the April 2024 change discussed in the Overview section.

    The wording of these errors vary widely, just as SMTP clients vary widely, but Mailgun itself issues a 535 Authentication failed error in the SMTP session while a 401 Forbidden error pertains to HTTP API responses. However, email applications/clients don't always pass the exact Mailgun error back to you. Instead, they may show you their own version of the error. A sample of how various SMTP clients describe what is ultimately an authentication error includes:

    • SMTP Error: Could not authenticate
    • Authorization is failing
    • Failed to authenticate on SMTP server
    • Unable to authenticate during send
    • SASL authentication failed
    • Authentication required but authentication attempt(s) failed
    • Unable to read data from the transport connection: net_io_connectionclosed
    • Service closing transmission channel - command timeout
    • Connection unexpectedly closed
    • Remote SMTP server has rejected address
    • Relay access denied

    The most ideal solution to resolve this error will be to find the IP(s) that your SMTP application/client uses and then add those IP(s) to Mailgun's IP allowlist. As a reminder, any IP listed on the IP allowlist will be allowed to connect to Mailgun using both HTTP API and SMTP; there's not a way to disallow HTTP API access, while allowing SMTP access, for an IP on the allowlist.

     

    Need Support?

    Our Support Team here at Sinch Mailgun is happy to help! Reach out to us in the Support section of your Mailgun Control Panel, and we'll be with you shortly!