Skip to content
Latchkey

Mailgun sandbox domain "recipient not authorized" in CI

Mailgun sandbox domains (the sandboxNNN.mailgun.org given to new accounts) can only send to Authorized Recipients you have explicitly verified. Sending a CI notification to any other address returns a 400 explaining the recipient is not authorized.

What this error means

A Mailgun send from the sandbox domain returns HTTP 400 with a message that free accounts or sandbox domains can only send to authorized recipients. The team distribution list never receives the mail.

Mailgun API
< HTTP/1.1 400 BAD REQUEST
{"message": "Sandbox subdomains are for test purposes only. Please add your own domain or add the address to authorized recipients in Account Settings."}

Common causes

Sending from the sandbox domain

The MAILGUN_DOMAIN is the sandbox subdomain, which restricts delivery to a short list of manually authorized recipients.

The CI recipient was never authorized

A team alias or distribution list is not on the sandbox Authorized Recipients list, so it is blocked.

How to fix it

Add and verify your own domain

  1. Add a real sending domain in Mailgun and complete DNS verification.
  2. Point MAILGUN_DOMAIN at the verified domain.
  3. Re-run the notify step; recipients are no longer restricted.
Terminal
MAILGUN_DOMAIN=mg.example.com  # verified, not the sandbox

Authorize recipients for temporary sandbox use

For quick tests, add each recipient under Authorized Recipients and have them confirm the invite.

Mailgun
# Account Settings -> Sending -> Authorized Recipients -> add + confirm

How to prevent it

  • Use a verified custom domain for CI notifications, not the sandbox.
  • Keep sandbox domains for local experiments only.
  • Confirm the recipient list before wiring the workflow.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →