Overview

As part of our ongoing security improvements, Mailgun will be updating the set of TLS cipher suites supported by our api.mailgun.net and api.eu.mailgun.net API endpoints in early April 2026.

What’s changing?

On Monday, April 6, we will remove support for the following TLS cipher suites:

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
• TLS_RSA_WITH_AES_128_GCM_SHA256
• TLS_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_RSA_WITH_AES_128_CBC_SHA256

What is the impact?

If your client (or any intermediary proxy/load balancer) is configured to use only one or more of the ciphers listed above, it will no longer be able to establish a TLS connection to api.mailgun.net or api.eu.mailgun.net after the change. This means API requests using the impacted ciphers will fail due to an inability to negotiate TLS.

Mailgun will continue to support the following TLS cipher suites:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

What next steps should you take?

Please confirm that your API client(s) and any TLS-terminating infrastructure can negotiate one of the supported cipher suites above. In most cases, this can be addressed by:

• Updating your TLS library / runtime (e.g., OpenSSL, Java, .NET, Node, Python runtime)
• Updating or reconfiguring load balancers, proxies, or API gateways that enforce a restricted cipher list
• Removing hard-coded / pinned cipher suite settings that exclude the supported ciphers

Need Support?

Our Support Team here at Sinch Mailgun is happy to help! Reach out to us in the Support page of your Mailgun Control Panel, and we'll be with you shortly!