Mailgun
Mailgun sandbox domains only deliver to Authorized Recipients, returning 403 for all others. Verify recipients in Domain Settings or add a custom domain.
Updated Jul 1, 2026
The short answer
Mailgun sandbox domains (sandboxXXXX.mailgun.org) are test-only: they reject any message whose recipient is not on the domain's Authorized Recipients list, returning a 403 "Sandbox subdomains are for test purposes only" error. Fix it by adding the recipient under Domain Settings and having them click the activation link to verify, or by adding and verifying your own custom sending domain.
Mailgun gives every account a free sandbox domain (e.g. sandboxabc123.mailgun.org) so you can test the API immediately without setting up DNS. The trade-off: a sandbox domain will only deliver to addresses you have explicitly added as Authorized Recipients, and only after each address has verified itself by clicking an activation link. Sends to anyone else are rejected.
When you send to an address that is not an activated authorized recipient on the sandbox domain, Mailgun rejects the message immediately with an HTTP 403 and a body like:
Sandbox subdomains are for test purposes only. Please add your owndomain or add the address to authorized recipients in Account Settings.
The failure is not silent at the API level — Mailgun returns this error synchronously on the send request. If you're not seeing that error in your own logs, it's usually because a wrapper library, CMS plugin, or queueing layer is swallowing or misreporting the response rather than because Mailgun itself reported success.
There are three distinct reasons a sandbox send fails this way:
This is a Mailgun account/domain policy, not an SMTP or DNS failure. SPF/DKIM/DMARC are not involved, and there is nothing wrong with your message — the sandbox is doing exactly what it's designed to do.
To keep using the sandbox (testing):
sandbox) from the domain dropdown.POST /v5/sandbox/auth_recipients with an email parameter.)activated: true.To send to anyone (production):
The sandbox is not meant for real traffic. Add and verify your own custom domain instead — once you add the required DNS records (SPF, DKIM, and an MX/tracking CNAME) and the domain shows as verified, the authorized-recipient restriction is lifted and you can send to any address. If you send through Courier, configure the Mailgun provider with the API key for that verified domain rather than the sandbox domain.
If your code reports a success response yet nothing arrives, inspect the actual HTTP status and JSON body returned by Mailgun (or the message's Logs entry in the dashboard) — the 403 and the rejection reason are recorded there even when a wrapper library swallows them.
References
FAQ
Adding an address to Authorized Recipients only sends it an invitation. Until that person clicks the activation link, the recipient stays Unverified and Mailgun rejects delivery with an HTTP 403 at send time. If your own logs show a success, check whether a wrapper library or queueing layer is masking that rejection — then check the recipient's status in the dashboard and have them activate, or inspect the message Logs for the 403.
One API, every provider
Courier connects to your email, SMS, and push providers, handles retries and failover, and surfaces delivery errors in plain language.
Last reviewed Jul 1, 2026. Courier is not affiliated with third-party providers; error behavior may vary by implementation.
© 2026 Courier. All rights reserved.