Mandrill Webhooks and Inbound Email

Mandrill webhooks are used for notification about outbound messages (bounces, clicks, etc.), and also for delivering inbound email processed through Mandrill.

Djrill includes optional support for Mandrill’s webhook notifications. If enabled, it will send a Django signal for each event in a webhook. Your code can connect to this signal for further processing.


Webhook Security

Webhooks are ordinary urls—they’re wide open to the internet. You must take steps to secure webhooks, or anyone could submit random (or malicious) data to your app simply by invoking your webhook URL. For security:

  • Your webhook should only be accessible over SSL (https). (This is beyond the scope of Djrill.)
  • Your webhook must include a random, secret key, known only to your app and Mandrill. Djrill will verify calls to your webhook, and will reject calls without the correct key.
  • You can, optionally include the two settings DJRILL_WEBHOOK_SIGNATURE_KEY and DJRILL_WEBHOOK_URL to enforce webhook signature checking


To enable Djrill webhook processing you need to create and set a webhook secret in your project settings, include the Djrill url routing, and then add the webhook in the Mandrill control panel.

  1. In your project’s, add a DJRILL_WEBHOOK_SECRET:

    DJRILL_WEBHOOK_SECRET = "<create your own random secret>"

    substituting a secret you’ve generated just for Mandrill webhooks. (Do not use your Mandrill API key or Django SECRET_KEY for this!)

    An easy way to generate a random secret is to run the command below in a shell:

    $ python -c "from django.utils import crypto; print crypto.get_random_string(16)"
  2. In your base, add routing for the Djrill urls:

    urlpatterns = patterns('',
        url(r'^djrill/', include(djrill.urls)),
  3. Now you need to tell Mandrill about your webhook:

    • For receiving events on sent messages (e.g., bounces or clickthroughs), you’ll do this in Mandrill’s webhooks control panel.
    • For setting up inbound email through Mandrill, you’ll add your webhook to Mandrill’s inbound settings under “Routes” for your domain.
    • And if you want both, you’ll need to add the webhook in both places.

    In all cases, the “Post to URL” is substituting your app’s own domain, and changing your-secret to the secret you created in step 1.

    (For sent-message webhooks, don’t forget to tick the “Trigger on Events” checkboxes for the events you want to receive.)

Once you’ve completed these steps and your Django app is live on your site, you can use the Mandrill “Test” commands to verify your webhook configuration. Then see the next section for setting up Django signal handlers to process the webhooks.

Incidentally, you have some control over the webhook url. If you’d like to change the “djrill” prefix, that comes from the url config in step 2. And if you’d like to change the name of the “secret” query string parameter, you can set DJRILL_WEBHOOK_SECRET_NAME in your

For extra security, Mandrill provides a signature in the request header X-Mandrill-Signature. If you want to verify this signature, you need to provide the settings DJRILL_WEBHOOK_SIGNATURE_KEY with the webhook-specific signature key that can be found in the Mandrill admin panel and DJRILL_WEBHOOK_URL where you should enter the exact URL, including that you entered in Mandrill when creating the webhook.

Webhook Notifications

Once you’ve enabled webhooks, Djrill will send a djrill.signals.webhook_event custom Django signal for each Mandrill event it receives. You can connect your own receiver function to this signal for further processing.

Be sure to read Django’s listening to signals docs for information on defining and connecting signal receivers.


from djrill.signals import webhook_event
from django.dispatch import receiver

def handle_bounce(sender, event_type, data, **kwargs):
    if event_type == 'hard_bounce' or event_type == 'soft_bounce':
        print "Message to %s bounced: %s" % (

def handle_inbound(sender, event_type, data, **kwargs):
    if event_type == 'inbound':
        print "Inbound message from %s: %s" % (

def handle_whitelist_sync(sender, event_type, data, **kwargs):
    if event_type == 'whitelist_add' or event_type == 'whitelist_remove':
        print "Rejection whitelist update: %s email %s (%s)" % (

Note that your webhook_event signal handlers will be called for all Mandrill webhook callbacks, so you should always check the event_type param as shown in the examples above to ensure you’re processing the expected events.

Mandrill batches up multiple events into a single webhook call. Djrill will invoke your signal handler once for each event in the batch.

The available fields in the data param are described in Mandrill’s documentation: sent-message webhooks, inbound webhooks, and whitelist/blacklist sync webooks.