Mandrill Webhooks and Inbound Email¶
Mandrill webhooks are used for notification about outbound messages (bounces, clicks, etc.), and also for delivering inbound email processed through Mandrill.
Djrill includes optional support for Mandrill’s webhook notifications. If enabled, it will send a Django signal for each event in a webhook. Your code can connect to this signal for further processing.
Webhooks are ordinary urls—they’re wide open to the internet. You must take steps to secure webhooks, or anyone could submit random (or malicious) data to your app simply by invoking your webhook URL. For security:
- Your webhook should only be accessible over SSL (https). (This is beyond the scope of Djrill.)
- Your webhook must include a random, secret key, known only to your app and Mandrill. Djrill will verify calls to your webhook, and will reject calls without the correct key.
- You can, optionally include the two settings
DJRILL_WEBHOOK_URLto enforce webhook signature checking
To enable Djrill webhook processing you need to create and set a webhook secret in your project settings, include the Djrill url routing, and then add the webhook in the Mandrill control panel.
In your project’s
settings.py, add a
DJRILL_WEBHOOK_SECRET = "<create your own random secret>"
substituting a secret you’ve generated just for Mandrill webhooks. (Do not use your Mandrill API key or Django SECRET_KEY for this!)
An easy way to generate a random secret is to run the command below in a shell:
$ python -c "from django.utils import crypto; print crypto.get_random_string(16)"
In your base
urls.py, add routing for the Djrill urls:
urlpatterns = patterns('', ... url(r'^djrill/', include(djrill.urls)), )
Now you need to tell Mandrill about your webhook:
- For receiving events on sent messages (e.g., bounces or clickthroughs), you’ll do this in Mandrill’s webhooks control panel.
- For setting up inbound email through Mandrill, you’ll add your webhook to Mandrill’s inbound settings under “Routes” for your domain.
- And if you want both, you’ll need to add the webhook in both places.
In all cases, the “Post to URL” is
https://yoursite.example.com/djrill/webhook/?secret=your-secretsubstituting your app’s own domain, and changing your-secret to the secret you created in step 1.
(For sent-message webhooks, don’t forget to tick the “Trigger on Events” checkboxes for the events you want to receive.)
Once you’ve completed these steps and your Django app is live on your site, you can use the Mandrill “Test” commands to verify your webhook configuration. Then see the next section for setting up Django signal handlers to process the webhooks.
Incidentally, you have some control over the webhook url.
If you’d like to change the “djrill” prefix, that comes from
the url config in step 2. And if you’d like to change
the name of the “secret” query string parameter, you can set
DJRILL_WEBHOOK_SECRET_NAME in your
For extra security, Mandrill provides a signature in the request header
X-Mandrill-Signature. If you want to verify this signature, you need to provide
DJRILL_WEBHOOK_SIGNATURE_KEY with the webhook-specific
signature key that can be found in the Mandrill admin panel and
DJRILL_WEBHOOK_URL where you should enter the exact URL, including
that you entered in Mandrill when creating the webhook.
Once you’ve enabled webhooks, Djrill will send a
custom Django signal for each Mandrill event it receives.
You can connect your own receiver function to this signal for further processing.
Be sure to read Django’s listening to signals docs for information on defining and connecting signal receivers.
from djrill.signals import webhook_event from django.dispatch import receiver @receiver(webhook_event) def handle_bounce(sender, event_type, data, **kwargs): if event_type == 'hard_bounce' or event_type == 'soft_bounce': print "Message to %s bounced: %s" % ( data['msg']['email'], data['msg']['bounce_description'] ) @receiver(webhook_event) def handle_inbound(sender, event_type, data, **kwargs): if event_type == 'inbound': print "Inbound message from %s: %s" % ( data['msg']['from_email'], data['msg']['subject'] ) @receiver(webhook_event) def handle_whitelist_sync(sender, event_type, data, **kwargs): if event_type == 'whitelist_add' or event_type == 'whitelist_remove': print "Rejection whitelist update: %s email %s (%s)" % ( data['action'], data['reject']['email'], data['reject']['reason'] )
Note that your webhook_event signal handlers will be called for all Mandrill
webhook callbacks, so you should always check the
event_type param as shown
in the examples above to ensure you’re processing the expected events.
Mandrill batches up multiple events into a single webhook call. Djrill will invoke your signal handler once for each event in the batch.