I’ve tried a bunch of things but can’t seem to make this work.
Running Ghost 5.22.10 on my own subdomain. My company has been using Mailgun for years for other transactional e-mail and we have at least 10 different API keys for various things all currently working.
I created the API key for Ghost. Put it in the UI and entered all the information, but it just doesn’t work. The single emails from the production.json config is fine, this is the API part that isn’t working.
I get a 401: Forbidden error (see below) yet I have deleted and recreated the API key in Mailgun at least five times, and put the new ones in Ghost each time. Still nothing, always the 401 error, and nothing appears in the Mailgun logs either.
Anyone else have this problem?
NAME: EmailError
CODE: BULK_EMAIL_SEND_FAILED
MESSAGE: The email service received an error from mailgun and was unable to send.
level: normal
“Mailgun Error 401: Forbidden”
“Email Newsletters — Ghost Developer Docs”
EmailError: The email service received an error from mailgun and was unable to send.
at Object.send (/var/www/ghost/versions/5.22.10/core/server/services/bulk-email/bulk-email-processor.js:257:30)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
at async Object.sendTestEmail (/var/www/ghost/versions/5.22.10/core/server/services/mega/mega.js:110:22)
at async Object.query (/var/www/ghost/versions/5.22.10/core/server/api/endpoints/email-previews.js:74:20)
at async /var/www/ghost/versions/5.22.10/node_modules/@tryghost/api-framework/lib/http.js:64:28
The 401 error in this case is coming from Mailgun’s API.
Double check that your domain, region, and API key are all correct. If they are, you’re best off asking them what’s happening.
They don’t expose API calls or errors in the UI & the responses don’t contain any details, reasons or explanations for the errors, but their support team have more details about what is causing the error.
I asked and they replied with the blockquote text below. I’ve checked each one of these and none of them are the issue, except for the fact I cannot confirm that “api” is the username being sent to the Mailgun service.
How can I view the outbound request being made to Mailgun from Ghost?
Blockquote
Incorrect API key
Please double-check that there are no zero-width Unicode characters included; this can happen when you copy and paste the API key from our website sometimes
Check it is a valid Private/Sending API key
Incorrect API username ( ‘api’ is the correct username)
Example: ‘api:YOUR_API_KEY’
Incorrect domain name
Check the domain/subdomain is correctly spelled
Ensure the domain/subdomain is verified on the account
If utilizing Whitelist, you are making an API request from an originating IP that is not on your IP Whitelist
If API key whitelisting has at least one IP address on it, all other IPs not on the list will fail
Incorrect region endpoint
Depending on which region the domain has been set up/verified in please make sure you are using the correct endpoint.
Example: do not use a domain created in the US with the EU endpoint [api.eu.mailgun.net]
Still trying to troubleshoot, have an open ticket with them. I’m pretty advanced when it comes to system administration and this stuff.
I’ve destroyed the droplet and installed a fresh instance of Ghost 5.22.11, with all updates on the server for Ubuntu 22.04.1 LTS. Deleted all the keys at DO, and reconfigured everything. Still getting the same 401 Forbidden error when trying to use the Mailgun API.
I have an open ticket with them, and will post back here in case there is resolution.
Apparently, there are two separate ways to create API keys in the Mailgun service as follows:
Through Sending > Domain Settings > Sending API keys
Through Account > API Keys
This isn’t clear in the Ghost documentation which one is required, although the link in the Ghost UI does take you to the correct screen in Mailgun but I didn’t use that link, I navigated in the Mailgun UI to the newer version of API keys. The one Ghost is using is the v3.
#1 above allows you to create individual keys for the v4 service for each of your domains. #2 is an overall private API key that is used for the entire Mailgun account. Their v3 service.
any idea how this works today? these settings are no longer visible in the ghost interface! where would one put the API code, or is ghost auto-configuring this? i’ve got a message out to support as well, though remain confused.
on a related aside, did you leave your from address as noreply@
Why is it not possible to use the domain specific api key? I used to work at Mailgun, and I won’t speak for them, but I’ll definitely say that using domain level api keys reduces the scope of anything happening if your key is leaked for a single ghost project. Hopefully we’re all well into our 100th ghost site and not having to worry about one key messing things up. The alternative is client specific mailgun accounts but that seems unnecessary. As a customer of mailgun, I will say, they have done what I needed from a security standpoint. The domain sending keys. I don’t think they should change their account keys to be restricted per domain. I guess I’m saying, please add support for domain specific keys.
It’s been a while, but from my recollection, Ghost requires an API key instead of domain sending key because it needs to be able to retrieve email analytics, which a domain sending key doesn’t allow.