Unable to send newsletter with correct Mailgun API Keys

I’ve tried a bunch of things but can’t seem to make this work.

Running Ghost 5.22.10 on my own subdomain. My company has been using Mailgun for years for other transactional e-mail and we have at least 10 different API keys for various things all currently working.

I created the API key for Ghost. Put it in the UI and entered all the information, but it just doesn’t work. The single emails from the production.json config is fine, this is the API part that isn’t working.

I get a 401: Forbidden error (see below) yet I have deleted and recreated the API key in Mailgun at least five times, and put the new ones in Ghost each time. Still nothing, always the 401 error, and nothing appears in the Mailgun logs either.

Anyone else have this problem?

NAME: EmailError
CODE: BULK_EMAIL_SEND_FAILED
MESSAGE: The email service received an error from mailgun and was unable to send.

level: normal

“Mailgun Error 401: Forbidden”
Email Newsletters — Ghost Developer Docs
EmailError: The email service received an error from mailgun and was unable to send.
at Object.send (/var/www/ghost/versions/5.22.10/core/server/services/bulk-email/bulk-email-processor.js:257:30)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
at async Object.sendTestEmail (/var/www/ghost/versions/5.22.10/core/server/services/mega/mega.js:110:22)
at async Object.query (/var/www/ghost/versions/5.22.10/core/server/api/endpoints/email-previews.js:74:20)
at async /var/www/ghost/versions/5.22.10/node_modules/@tryghost/api-framework/lib/http.js:64:28

[2022-11-15 16:19:32] ERROR “POST /ghost/api/admin/email_previews/posts/6372a8bbc4e06b1f25882982/” 500 694ms

1 Like

The 401 error in this case is coming from Mailgun’s API.

Double check that your domain, region, and API key are all correct. If they are, you’re best off asking them what’s happening.

They don’t expose API calls or errors in the UI & the responses don’t contain any details, reasons or explanations for the errors, but their support team have more details about what is causing the error.

1 Like

I asked and they replied with the blockquote text below. I’ve checked each one of these and none of them are the issue, except for the fact I cannot confirm that “api” is the username being sent to the Mailgun service.

How can I view the outbound request being made to Mailgun from Ghost?

Blockquote

  1. Incorrect API key
  • Please double-check that there are no zero-width Unicode characters included; this can happen when you copy and paste the API key from our website sometimes
  • Check it is a valid Private/Sending API key
  1. Incorrect API username ( ‘api’ is the correct username)
  • Example: ‘api:YOUR_API_KEY’
  1. Incorrect domain name
  • Check the domain/subdomain is correctly spelled
  • Ensure the domain/subdomain is verified on the account
  1. If utilizing Whitelist, you are making an API request from an originating IP that is not on your IP Whitelist
  • If API key whitelisting has at least one IP address on it, all other IPs not on the list will fail
  1. Incorrect region endpoint
  • Depending on which region the domain has been set up/verified in please make sure you are using the correct endpoint.
  • Example: do not use a domain created in the US with the EU endpoint [api.eu.mailgun.net]

Yes, we use api as the username: Ghost/mailgun-client.js at 92585e5ed2b3dbe5b806e2a8197d9724e95f44ff · TryGhost/Ghost · GitHub

We also send all requests via their SDK.

1 Like

Still trying to troubleshoot, have an open ticket with them. I’m pretty advanced when it comes to system administration and this stuff.

I’ve destroyed the droplet and installed a fresh instance of Ghost 5.22.11, with all updates on the server for Ubuntu 22.04.1 LTS. Deleted all the keys at DO, and reconfigured everything. Still getting the same 401 Forbidden error when trying to use the Mailgun API.

I have an open ticket with them, and will post back here in case there is resolution.

Thank you!!!

RESOLVED:

Apparently, there are two separate ways to create API keys in the Mailgun service as follows:

  1. Through Sending > Domain Settings > Sending API keys
  2. Through Account > API Keys

This isn’t clear in the Ghost documentation which one is required, although the link in the Ghost UI does take you to the correct screen in Mailgun but I didn’t use that link, I navigated in the Mailgun UI to the newer version of API keys. The one Ghost is using is the v3.

#1 above allows you to create individual keys for the v4 service for each of your domains.
#2 is an overall private API key that is used for the entire Mailgun account. Their v3 service.

Ghost wants #2. I was using #1.

All set now. It works.

4 Likes

any idea how this works today? these settings are no longer visible in the ghost interface! where would one put the API code, or is ghost auto-configuring this? i’ve got a message out to support as well, though remain confused.

on a related aside, did you leave your from address as noreply@

Just to add, the link within Ghost settings to the Mailgun API page and shown here is currently wrong and needs updating

It currently links to https://app.mailgun.com/app/account/security/api_keys but the correct link is https://app.mailgun.com/settings/api_security

I’ve reported that issue here Link to get Mailgun API key within Ghost setting is wrong · Issue #18630 · TryGhost/Ghost · GitHub

Also, be sure to whitelist your IP at https://app.mailgun.com/settings/api_security/ip_allow_list too or it won’t work.

I have a similar issue. eaning that ghost interface says that post has been sent but I see no activity in the MailGun Logs on mailgun website.

After I while I see this error:
image

But it is too generic.

I have created and added the API key from the link you mention (Mailgun by Sinch) and I do not know what is wrong.

SMTP transactional mails do work fine, instead.

Can someone help me troubleshooting?

Ghost 5.82.2

The answer to what’s the issue will be in your server logs (using ghost log):

Why is it not possible to use the domain specific api key? I used to work at Mailgun, and I won’t speak for them, but I’ll definitely say that using domain level api keys reduces the scope of anything happening if your key is leaked for a single ghost project. Hopefully we’re all well into our 100th ghost site and not having to worry about one key messing things up. The alternative is client specific mailgun accounts but that seems unnecessary. As a customer of mailgun, I will say, they have done what I needed from a security standpoint. The domain sending keys. I don’t think they should change their account keys to be restricted per domain. I guess I’m saying, please add support for domain specific keys.

It’s been a while, but from my recollection, Ghost requires an API key instead of domain sending key because it needs to be able to retrieve email analytics, which a domain sending key doesn’t allow.

1 Like