Mailgun sandbox domain "recipient not authorized" in CI
Mailgun sandbox domains (the sandboxNNN.mailgun.org given to new accounts) can only send to Authorized Recipients you have explicitly verified. Sending a CI notification to any other address returns a 400 explaining the recipient is not authorized.
What this error means
A Mailgun send from the sandbox domain returns HTTP 400 with a message that free accounts or sandbox domains can only send to authorized recipients. The team distribution list never receives the mail.
< HTTP/1.1 400 BAD REQUEST
{"message": "Sandbox subdomains are for test purposes only. Please add your own domain or add the address to authorized recipients in Account Settings."}Common causes
Sending from the sandbox domain
The MAILGUN_DOMAIN is the sandbox subdomain, which restricts delivery to a short list of manually authorized recipients.
The CI recipient was never authorized
A team alias or distribution list is not on the sandbox Authorized Recipients list, so it is blocked.
How to fix it
Add and verify your own domain
- Add a real sending domain in Mailgun and complete DNS verification.
- Point
MAILGUN_DOMAINat the verified domain. - Re-run the notify step; recipients are no longer restricted.
MAILGUN_DOMAIN=mg.example.com # verified, not the sandboxAuthorize recipients for temporary sandbox use
For quick tests, add each recipient under Authorized Recipients and have them confirm the invite.
# Account Settings -> Sending -> Authorized Recipients -> add + confirmHow to prevent it
- Use a verified custom domain for CI notifications, not the sandbox.
- Keep sandbox domains for local experiments only.
- Confirm the recipient list before wiring the workflow.