Webhooks
SES publishes every lifecycle event to an SNS topic, which POSTs to /api/webhooks/ses. Mailgrid then writes to D1 and updates suppressions.
Webhook endpoint
POST /api/webhooks/ses
Authentication: SNS signature verification (no Bearer token).
Setup
- In SES console: Configuration sets → Create (e.g.
inboxos-prod). - Open the set → Event destinations → Add destination.
- Event types: tick Send, Delivery, Bounce, Complaint, Open, Click, Reject, Rendering failure, Delivery delay.
- Destination: Amazon SNS → Create new topic (e.g.
mailgrid-events). - Open the SNS topic → Create subscription:
- Protocol: HTTPS
- Endpoint:
https://api.mailgrid.space/api/webhooks/ses
- SNS posts a confirmation message; the Mailgrid endpoint auto-confirms it.
What happens when an event arrives
- SNS posts the event JSON to the webhook.
- Mailgrid verifies the SNS signature (against AWS's signing cert).
- The payload is enqueued into a Cloudflare Queue.
- Webhook returns
200 OKimmediately. - Queue consumer parses the SNS payload and writes an event row to D1.
- If the event is
BounceorComplaint, the recipient is added tosuppressions. - On consumer failure, the message goes to the DLQ (
inboxos-webhooks-dlq) after 5 retries.
SNS event types we handle
| SNS type | Mailgrid event | Side effect |
|---|---|---|
Send | sent | Confirms send accepted |
Delivery | delivered | Mailbox provider accepted |
Bounce | bounced | Suppress recipient |
Complaint | complained | Suppress recipient |
Open | opened | — |
Click | clicked | — |
Reject | rejected | — |
Optional shared secret
Set WEBHOOK_SHARED_SECRET as a Worker secret to gate the endpoint behind X-Webhook-Secret in addition to SNS signature verification.