Mailgun

mailgun sandbox not sending email

Mailgun sandbox domains only deliver to Authorized Recipients, returning 403 for all others. Verify recipients in Domain Settings or add a custom domain.

Updated Jul 1, 2026

The short answer

Mailgun sandbox domains (sandboxXXXX.mailgun.org) are test-only: they reject any message whose recipient is not on the domain's Authorized Recipients list, returning a 403 "Sandbox subdomains are for test purposes only" error. Fix it by adding the recipient under Domain Settings and having them click the activation link to verify, or by adding and verifying your own custom sending domain.

Mailgun gives every account a free sandbox domain (e.g. sandboxabc123.mailgun.org) so you can test the API immediately without setting up DNS. The trade-off: a sandbox domain will only deliver to addresses you have explicitly added as Authorized Recipients, and only after each address has verified itself by clicking an activation link. Sends to anyone else are rejected.

What causes "Mailgun sandbox not sending email"?

When you send to an address that is not an activated authorized recipient on the sandbox domain, Mailgun rejects the message immediately with an HTTP 403 and a body like:

Sandbox subdomains are for test purposes only. Please add your own
domain or add the address to authorized recipients in Account Settings.

The failure is not silent at the API level — Mailgun returns this error synchronously on the send request. If you're not seeing that error in your own logs, it's usually because a wrapper library, CMS plugin, or queueing layer is swallowing or misreporting the response rather than because Mailgun itself reported success.

There are three distinct reasons a sandbox send fails this way:

  • The recipient was never added. Sandbox domains have no open delivery — the recipient address must be on the Authorized Recipients list.
  • The recipient was added but never activated. Adding an address sends it an invitation email. Until the person clicks the activation link, the recipient shows as Unverified and Mailgun still refuses to deliver. This is a common cause of "I added them but it still won't send."
  • You hit the 5-recipient cap. A sandbox domain allows a maximum of 5 authorized recipients. A 6th address cannot be authorized.

This is a Mailgun account/domain policy, not an SMTP or DNS failure. SPF/DKIM/DMARC are not involved, and there is nothing wrong with your message — the sandbox is doing exactly what it's designed to do.

How do I fix Mailgun sandbox not sending email?

To keep using the sandbox (testing):

  1. In the Mailgun Control Panel, select your sandbox domain (the long name starting with sandbox) from the domain dropdown.
  2. Open the domain's Setup / Authorized Recipients section, enter the recipient's email address, and click Add. (API equivalent: POST /v5/sandbox/auth_recipients with an email parameter.)
  3. Have the recipient open the invitation email and click the activation link. Confirm the recipient's status flips from Unverified to Verified / activated: true.
  4. Re-send. Keep total authorized recipients at or below 5.

To send to anyone (production):

The sandbox is not meant for real traffic. Add and verify your own custom domain instead — once you add the required DNS records (SPF, DKIM, and an MX/tracking CNAME) and the domain shows as verified, the authorized-recipient restriction is lifted and you can send to any address. If you send through Courier, configure the Mailgun provider with the API key for that verified domain rather than the sandbox domain.

If your code reports a success response yet nothing arrives, inspect the actual HTTP status and JSON body returned by Mailgun (or the message's Logs entry in the dashboard) — the 403 and the rejection reason are recorded there even when a wrapper library swallows them.

FAQ

Common questions

Adding an address to Authorized Recipients only sends it an invitation. Until that person clicks the activation link, the recipient stays Unverified and Mailgun rejects delivery with an HTTP 403 at send time. If your own logs show a success, check whether a wrapper library or queueing layer is masking that rejection — then check the recipient's status in the dashboard and have them activate, or inspect the message Logs for the 403.

One API, every provider

Stop debugging raw provider errors

Courier connects to your email, SMS, and push providers, handles retries and failover, and surfaces delivery errors in plain language.

Last reviewed Jul 1, 2026. Courier is not affiliated with third-party providers; error behavior may vary by implementation.