django-anymail/docs/usage/webhooks.rst

.. _webhooks:

Mandrill Webhooks and Inbound Email
===================================

`Mandrill webhooks`_ are used for notification about outbound messages
(bounces, clicks, etc.), and also for delivering inbound email
processed through Mandrill.

Djrill includes optional support for Mandrill's webhook notifications.
If enabled, it will send a Django signal for each event in a webhook.
Your code can connect to this signal for further processing.

.. warning:: Webhook Security

    Webhooks are ordinary urls---they're wide open to the internet.
    You must take steps to secure webhooks, or anyone could submit
    random (or malicious) data to your app simply by invoking your
    webhook URL. For security:

    * Your webhook should only be accessible over SSL (https).
      (This is beyond the scope of Djrill.)

    * Your webhook must include a random, secret key, known only to your
      app and Mandrill. Djrill will verify calls to your webhook, and will
      reject calls without the correct key.

    * You can, optionally include the two settings :setting:`DJRILL_WEBHOOK_SIGNATURE_KEY`
      and :setting:`DJRILL_WEBHOOK_URL` to enforce `webhook signature`_ checking


.. _Mandrill webhooks: http://help.mandrill.com/entries/21738186-Introduction-to-Webhooks
.. _securing webhooks: http://apidocs.mailchimp.com/webhooks/#securing-webhooks
.. _webhook signature: http://help.mandrill.com/entries/23704122-Authenticating-webhook-requests

.. _webhooks-config:

Configuration
-------------

To enable Djrill webhook processing you need to create and set a webhook
secret in your project settings, include the Djrill url routing, and
then add the webhook in the Mandrill control panel.

1. In your project's :file:`settings.py`, add a :setting:`DJRILL_WEBHOOK_SECRET`:

   .. code-block:: python

      DJRILL_WEBHOOK_SECRET = "<create your own random secret>"

   substituting a secret you've generated just for Mandrill webhooks.
   (Do *not* use your Mandrill API key or Django SECRET_KEY for this!)

   An easy way to generate a random secret is to run the command below in a shell:

   .. code-block:: console

      $ python -c "from django.utils import crypto; print crypto.get_random_string(16)"


2. In your base :file:`urls.py`, add routing for the Djrill urls:

   .. code-block:: python

      urlpatterns = patterns('',
          ...
          url(r'^djrill/', include(djrill.urls)),
      )


3. Now you need to tell Mandrill about your webhook:

   * For receiving events on sent messages (e.g., bounces or clickthroughs),
     you'll do this in Mandrill's `webhooks control panel`_.
   * For setting up inbound email through Mandrill, you'll add your webhook
     to Mandrill's `inbound settings`_ under "Routes" for your domain.
   * And if you want both, you'll need to add the webhook in both places.

   In all cases, the "Post to URL" is
   :samp:`{https://yoursite.example.com}/djrill/webhook/?secret={your-secret}`
   substituting your app's own domain, and changing *your-secret* to the secret
   you created in step 1.

   (For sent-message webhooks, don't forget to tick the "Trigger on Events"
   checkboxes for the events you want to receive.)


Once you've completed these steps and your Django app is live on your site,
you can use the Mandrill "Test" commands to verify your webhook configuration.
Then see the next section for setting up Django signal handlers to process
the webhooks.

Incidentally, you have some control over the webhook url.
If you'd like to change the "djrill" prefix, that comes from
the url config in step 2. And if you'd like to change
the *name* of the "secret" query string parameter, you can set
:setting:`DJRILL_WEBHOOK_SECRET_NAME` in your :file:`settings.py`.

For extra security, Mandrill provides a signature in the request header
X-Mandrill-Signature. If you want to verify this signature, you need to provide
the settings :setting:`DJRILL_WEBHOOK_SIGNATURE_KEY` with the webhook-specific
signature key that can be found in the Mandrill admin panel and
:setting:`DJRILL_WEBHOOK_URL` where you should enter the exact URL, including
that you entered in Mandrill when creating the webhook.

.. _webhooks control panel: https://mandrillapp.com/settings/webhooks
.. _inbound settings: https://mandrillapp.com/inbound


.. _webhook-usage:

Webhook Notifications
---------------------

Once you've enabled webhooks, Djrill will send a ``djrill.signals.webhook_event``
custom `Django signal`_ for each Mandrill event it receives.
You can connect to this signal for further processing.
Examples:

.. code-block:: python

    from djrill.signals import webhook_event
    from django.dispatch import receiver

    @receiver(webhook_event)
    def handle_bounce(sender, event_type, data, **kwargs):
        if event_type == 'hard_bounce' or event_type == 'soft_bounce':
            print "Message to %s bounced: %s" % (
                data['msg']['email'],
                data['msg']['bounce_description']
            )

    @receiver(webhook_event)
    def handle_inbound(sender, event_type, data, **kwargs):
        if event_type == 'inbound':
            print "Inbound message from %s: %s" % (
                data['msg']['from_email'],
                data['msg']['subject']
            )

    @receiver(webhook_event)
    def handle_whitelist_sync(sender, event_type, data, **kwargs):
        if event_type == 'whitelist_add' or event_type == 'whitelist_remove':
            print "Rejection whitelist update: %s email %s (%s)" % (
                data['action'],
                data['reject']['email'],
                data['reject']['reason']
            )


Note that your webhook_event signal handlers will be called for all Mandrill
webhook callbacks, so you should always check the `event_type` param as shown
in the examples above to ensure you're processing the expected events.

Mandrill batches up multiple events into a single webhook call.
Djrill will invoke your signal handler once for each event in the batch.

The available fields in the `data` param are described in Mandrill's documentation:
`sent-message webhooks`_, `inbound webhooks`_, and `whitelist/blacklist sync webooks`_.

.. _Django signal: https://docs.djangoproject.com/en/stable/topics/signals/
.. _inbound webhooks:
    http://help.mandrill.com/entries/22092308-What-is-the-format-of-inbound-email-webhooks-
.. _sent-message webhooks: http://help.mandrill.com/entries/21738186-Introduction-to-Webhooks
.. _whitelist/blacklist sync webooks:
    https://mandrill.zendesk.com/hc/en-us/articles/205583297-Sync-Event-Webhook-format