Guide
Email APIs with Webhook Support Compared
SendGrid, Mailgun, and Postmark webhooks report on mail you sent. Nylas webhooks fire on mailbox activity: new messages, opens, link clicks, and replies. One command wires the triggers.
Written by Hazik Director of Product Management
Reviewed by Qasim Muhammad
Command references: nylas webhook create, nylas webhook triggers, nylas webhook server, nylas webhook verify.
Which email APIs offer webhook support?
Every major email API offers webhooks, but they answer different questions. SendGrid, Mailgun, and Postmark send delivery-pipeline events about outbound mail their platform sent for you. Nylas sends mailbox events for connected Gmail, Outlook, and IMAP accounts: new messages, opens, link clicks, and replies, across 27 trigger types in 8 categories.
The distinction matters when you pick a provider. A transactional sender that needs bounce handling wants delivery events. An agent or CRM that reacts to incoming mail needs mailbox events, because SendGrid and Mailgun never see a reply that lands in your Gmail inbox. Postmark is the partial exception: its inbound message stream parses mail sent to a Postmark-hosted address and forwards it as JSON.
| API | Webhook model | Covers | Payload security |
|---|---|---|---|
| SendGrid | Event Webhook (batched JSON) | Outbound delivery + engagement | ECDSA signature (opt-in) |
| Mailgun | Per-event webhooks | Outbound delivery + engagement | HMAC-SHA256 over timestamp + token |
| Postmark | Per-server webhooks | Outbound events + inbound parse | HTTP basic auth + IP allowlist |
| Nylas | Mailbox triggers (27 types) | Inbound + outbound mailbox activity | HMAC-SHA256 signature header |
What webhook events do SendGrid, Mailgun, and Postmark send?
SendGrid, Mailgun, and Postmark webhooks track a sent message through the delivery pipeline. SendGrid's Event Webhook documents five delivery events (processed, dropped, delivered, deferred, bounce) plus engagement events for opens, clicks, spam reports, and unsubscribes. Each POST carries a JSON array, so one request can batch hundreds of events.
According to Twilio SendGrid's Event Webhook documentation, engagement events only fire when open and click tracking are enabled on the account. Mailgun's events documentation lists an equivalent set — accepted, rejected, delivered, failed, opened, clicked, unsubscribed, and complained — each delivered as an individual POST per event.
Postmark's webhooks overview documents webhooks for delivery, bounce, spam complaint, open, link click, and subscription change, plus an inbound webhook that parses incoming mail. What none of the three can tell you: whether a human replied. A reply goes to your mailbox, and these platforms don't connect to mailboxes.
What mailbox events can Nylas webhooks trigger on?
Nylas webhooks fire on activity inside a connected mailbox, rather than only on mail you sent through an API. The platform exposes 27 trigger types across 8 categories: 8 message triggers, plus thread, event, calendar, contact, folder, grant, and notetaker triggers. message.created fires for every message that arrives in or leaves the mailbox, regardless of which client sent it.
The triggers that close the loop for outreach and agent workflows are message.opened, message.link_clicked, and thread.replied. Here's the catch teased above: per the Nylas notification schemas documentation, open and click notifications only fire for messages sent with tracking enabled. From the CLI that means sending with --track-opens and --track-links; untracked mail produces no engagement events.
The nylas webhook triggers command prints every trigger type your account can subscribe to, grouped by category. The --category message flag filters to the 8 message triggers, which include message.bounce_detected, message.send_success, and message.send_failed for delivery-status parity with the transactional platforms.
# List the 8 message-related triggers (27 total across all categories)
nylas webhook triggers --category messageHow do I create an email webhook with the CLI?
Creating an email webhook with the Nylas CLI takes one command: nylas webhook create with a destination URL and at least one trigger. There's no dashboard round-trip and no subscription renewal job — unlike Microsoft Graph change notifications, which expire after a maximum of 10,080 minutes (under 7 days) for mail resources and must be renewed on a timer.
The command below subscribes one endpoint to four triggers: new messages, opens, link clicks, and replies. The --description flag labels the webhook for nylas webhook list output, and --notify registers an email address that gets alerted if the destination starts failing.
nylas webhook create \
--url https://example.com/hooks/email \
--triggers message.created,message.opened,message.link_clicked,thread.replied \
--description "Outreach engagement webhook" \
--notify admin@example.comFor local development, nylas webhook server runs a receiver on port 3000 (the default) and prints each event as it arrives. The --no-tunnel flag keeps it loopback-only so you can replay payloads with curl; without it, the CLI offers a cloudflared tunnel so real events can reach your laptop.
# Local receiver on port 3000, no public tunnel
nylas webhook server --no-tunnel --port 3000 --jsonTo test the full loop end to end, send yourself a tracked message with nylas email send --to you@example.com --subject "Webhook test" --body "ping" --track-opens --yes and open it. You should see a message.created event within a few seconds and a message.opened event when the tracking pixel loads. If neither arrives, nylas webhook list shows the subscription status, and nylas webhook show confirms which triggers the webhook is registered for.
How do I verify email webhook signatures?
Webhook signature verification proves a payload came from the email API and not from anyone who found your endpoint URL. Nylas and Mailgun both sign payloads with HMAC-SHA256, the keyed-hash construction defined in RFC 2104 (1997). SendGrid's Signed Event Webhook uses an ECDSA public key instead, and Postmark documents basic auth plus IP allowlisting rather than a signature.
Nylas sends the signature in the x-nylas-signature header, computed over the exact raw request body. The nylas webhook verify command checks a captured payload against that header offline, which is useful when a verification step in your receiver rejects events and you need to find out whether the secret or the body encoding is wrong. Don't reformat the JSON first; one re-encoded character changes the digest.
# Verify a captured payload against its x-nylas-signature header
nylas webhook verify \
--payload-file ./payload.json \
--signature "9d3e1f..." \
--secret "$WEBHOOK_SECRET"
# Rotate the signing secret if it leaks
nylas webhook list
nylas webhook rotate-secret <webhook-id>Next steps
- High-Volume Email APIs Compared — SendGrid, Mailgun, and Amazon SES vs contextual email APIs
- Browse the full command reference for every webhook, email, and calendar command
- Email webhook events reference for payload schemas of all 27 Nylas trigger types
- Parse inbound email webhooks to turn
message.createdpayloads into structured data - Track email opens and replies from the CLI for the send-side tracking flags that make engagement triggers fire
- Twilio SendGrid vs Nylas for a full platform comparison beyond webhooks
- EmailEngine vs Nylas if you're weighing a self-hosted mailbox webhook gateway