Why does ghost need the global (and not the domain bound) mailgun API key?

Mailgun has dedicated API keys per domain, allowing sending only from that specific domain.

However ghost requires sending mails with the global API key. Why is that? It seems like an unnecessary security risk to give ghost access to everything…

Ghost uses the Mailgun API for the analytics features and managing list cleanliness neither of which is possible with just the sending API key.


Understood and I think it is a valid point. Thank you for clarifying!

1 Like