Skip to main content
When MailChannels detects a compromised account or a sender actively submitting spam, it can POST a JSON notification to an HTTP or HTTPS endpoint you control. This lets you trigger automated remediation — such as scrambling a password, suspending an account, or disabling a plugin — the moment abuse is detected, without requiring manual intervention. Customers who enable webhooks with automated account actions routinely reduce their total outbound volume by two-thirds, because blocked senders stop submitting messages entirely. Webhooks are a type of Alert Monitor and are available on Standard plan subscriptions and above.

What MailChannels sends

When a monitor condition is met, MailChannels sends an HTTP POST to your endpoint with a JSON payload in the following structure:
webhook payload
{
  "condition_name": "sender_id_sending_spam",
  "condition_description": "Sender ID is sending SPAM",
  "account_id": "myhostingcompany",
  "timestamp": "2024-08-15T14:23:00Z",
  "originator": "joe@example.com",
  "originator_type": "x-authuser",
  "sender_id": "myhostingcompany|x-authuser|joe@example.com",
  "ip": "203.0.113.42",
  "transaction_id": "abc123xyz",
  "envelope_sender": "joe@example.com",
  "message_id": "<unique-message-id@example.com>"
}
FieldDescription
condition_nameMachine-readable name of the alert condition that triggered the webhook
condition_descriptionHuman-readable description of the condition
account_idYour MailChannels account identifier
timestampISO 8601 timestamp of when the alert was generated
originatorThe sender hint — typically the authenticated username or email address
originator_typeThe type of sender hint (for example, x-authuser)
sender_idThe full sender ID string identifying the sender entity
ipThe IP address that submitted the message triggering the alert
transaction_idThe ID of the specific transaction that crossed the threshold
envelope_senderThe envelope MAIL FROM address of the triggering message
message_idThe Message-Id header value of the triggering message

Actions you can take

Your endpoint receives the sender_id and other identifying fields and can immediately take action. Common automated responses include:
  • Scramble the password for the account associated with originator, preventing the sender from authenticating further.
  • Block or suspend the account at the hosting control panel level.
  • Disable the sending plugin (for example, a WordPress mail plugin) if the originator_type indicates a script.
  • Rate-limit the account at the mail server level to contain the damage while a human investigates.
  • Create a support ticket or page an on-call engineer using the sender_id and condition_name fields.
The more aggressive your automated response, the greater the reduction in spam volume. Even a simple password scramble eliminates all further submissions from that sender without any manual work.

Configure a webhook monitor

1

Log in to the Host Console

Go to console.mailchannels.net and sign in.
2

Navigate to Monitors

Go to Outbound > Activity > Monitors and click Add Monitor.
3

Select the alert type

Choose the condition you want to monitor from the dropdown menu, such as Sender ID is sending SPAM or Sender ID blocked due to FBL reports.
4

Set the alert interval

Choose how frequently you want alerts to fire. The interval ranges from 1 to 24 hours. For compromised account detection, a 1-hour interval gives you the fastest response.
5

Switch to webhook delivery

Change the alert type from the default Email to Webhook.
6

Enter your webhook URL

Paste the full URL of your endpoint into the text box. Use https:// to ensure the payload is encrypted in transit. Your endpoint must be publicly reachable and able to return an HTTP 2xx response.
If you prefix your URL with http:// instead of https://, the payload is sent without SSL encryption. Always use https:// for production endpoints.
7

Enable and save

Check the Enabled box to activate the monitor, then click the green check mark to save it.

Test your endpoint

Before relying on the webhook in production, verify that your endpoint handles the payload correctly. You can test it from the command line with curl:
test webhook endpoint
curl -X POST https://your-endpoint.example.com/webhook \
  -H "Content-Type: application/json" \
  -d '{
    "condition_name": "sender_id_sending_spam",
    "condition_description": "Sender ID is sending SPAM",
    "account_id": "myhostingcompany",
    "timestamp": "2024-08-15T14:23:00Z",
    "originator": "joe@example.com",
    "originator_type": "x-authuser",
    "sender_id": "myhostingcompany|x-authuser|joe@example.com",
    "ip": "203.0.113.42",
    "transaction_id": "abc123xyz",
    "envelope_sender": "joe@example.com",
    "message_id": "<unique-message-id@example.com>"
  }'
Confirm your server logs show the request and that any automated action (account suspension, password change, etc.) fires as expected.

Routing webhook alerts to Slack

MailChannels webhook payloads cannot be sent directly to a Slack incoming webhook URL because Slack requires a different JSON format. To route alerts to Slack, use an intermediary service such as Zapier:
  1. Create a Zapier zap with a Webhooks by Zapier trigger (catch hook).
  2. Use the Zapier webhook URL as your MailChannels webhook destination.
  3. Add a Zapier action step that sends a formatted message to your Slack channel.
Webhooks require a Standard plan subscription or higher. If the Monitors section is not visible in your console, upgrade your subscription to unlock webhook notifications.