Fix Mailgun “Authentication Failed” Error: How to Find and Whitelist the Right Outbound IP

Published on 11/7/2025
MD Pabel
Read with ChatGPT

If you’ve ever integrated services like Mailgun, SendGrid, or Amazon SES, You might have seen one of these messages when trying to connect your website or application to Mailgun (or any SMTP-based email service):

“Request blocked — please whitelist your server’s IP.”
“Mailgun API Error”
“Forbidden”
“Authentication failed: 535 Incorrect authentication data”
“SMTP Error: Could not connect to SMTP host.”
“Authentication unsuccessful, the user name or password is incorrect.”
“Access denied. IP not allowed.”
“Connection timed out or refused by remote server.”
“Error 401: Unauthorized”
“Error 403: Forbidden”
“550 5.7.1 Relaying denied”
“535 5.7.8 Authentication credentials invalid”

You check your hosting panel, find your site’s IP address… but the email provider reports a completely different one!

So why are they different — and which one do you actually need to whitelist? Let’s clear up the confusion.

Inbound vs. Outbound IPs — The Key Difference

Every web server has two directions of communication:

  • Inbound IP → the address where visitors access your website (shown in your hosting control panel).
  • Outbound IP → the address your server uses when it sends requests to external services, APIs, or email servers.

They are often not the same — especially on shared or cloud hosting platforms.

Why Outbound IPs Are Different

Hosting providers such as SiteGround, Cloudways, Google Cloud, or AWS use a network setup called NAT (Network Address Translation). Here’s how it works:

  1. Your site has its own inbound IP (for incoming visitors).
  2. But all outbound traffic (like API calls or SMTP connections) goes through a shared gateway that has its own IP.

This shared gateway helps:

  • Control and monitor outgoing traffic.
  • Improve security and firewall filtering.
  • Provide better performance and redundancy.

So when your website sends a request to an external service like Mailgun, that service sees the outbound NAT IP, not your site’s visible IP.

Example: When Mailgun Blocks Your Request

Imagine this scenario:

You integrate Mailgun with your website to send emails. You test it — but Mailgun rejects the request, saying it came from a different IP.

You check your hosting dashboard and see one IP (for example, 123.45.67.89), but Mailgun says the request came from another (for example, 123.45.70.10).

In this case, Mailgun is correct. That second address (123.45.70.10) is your server’s outbound IP — the one you need to whitelist.

Mailgun’s IP Allowlist Update (April 2024)

Mailgun released a major update in April 2024 that affected how IP allowlisting works. Previously, the IP Allowlist only applied to API requests, but now it also covers SMTP connections. This change enhances account security but can cause confusion if your site’s outbound IP is not listed correctly.

According to Mailgun’s official support response, if your connecting client IP (the one your server uses for outbound connections) is not on your allowlist, your request will permanently fail and trigger an “Authentication Failed” or “Forbidden” error.

Here’s what you should do:

  1. Log in to your Mailgun account.
  2. Go to Profile → IP Access Management or visit Mailgun IP Access Management.
  3. Click the Add IP Addresses button.
  4. Enter your server’s outbound IP (you can find it using the method below).
  5. Add a short description (like “Site Outbound IP”) and save the entry.

Once added, Mailgun will allow your SMTP or API requests to go through without authentication errors.

If you previously had other IPs listed, but they’re no longer valid, you can remove them — or simply clear all entries to disable the allowlist entirely.

Official guide: Mailgun IP Allowlist Help Article.

How to Find Your Server’s Outbound IP

To successfully whitelist your server on Mailgun, you first need to identify your outbound IP. Here are three easy ways to do it:

Option 1: Using a Simple PHP Script

Create a file named whatsmyip.php in your site’s root folder and paste this code:

<?php echo file_get_contents('https://api.ipify.org'); ?>

Then visit: https://yourdomain.com/whatsmyip.php

It will display something like:

123.45.70.10

That’s your outbound IP — the one Mailgun (or any API) sees. Once you get it, delete the file for security.

Option 2: Using SSH Access

If you have SSH access to your hosting account, run this command:

curl https://api.ipify.org

It will return the same result — your outbound IP in plain text.

Option 3: Automate It for Multiple Sites

If you manage multiple websites, you can use this small PHP script to email you the outbound IP automatically:

<?php $ip = file_get_contents('https://api.ipify.org'); mail('you@yourdomain.com', 'Outbound IP', "Your server's outbound IP is: $ip"); ?>

This is handy when you maintain many client websites and need to whitelist IPs quickly.

Quick Reference Table

  • Inbound IP – Where visitors access your website (e.g., 123.45.67.89)
  • Outbound IP – Where your server connects from (e.g., 123.45.70.10)

In Summary

If a service like Mailgun or SendGrid reports that your request came from a different IP than expected — don’t panic. It’s normal on shared or managed hosting environments that use NAT routing.

Simply identify your outbound IP using one of the methods above and whitelist that address in Mailgun’s IP Access Management. Once done, your authentication errors will disappear, and you’ll be able to send emails smoothly again.

Frequently Asked Questions (FAQ)

1. Why can’t my hosting provider show me the outbound IP directly?

Most shared and cloud platforms use dynamic or shared outbound gateways that can change occasionally. That’s why they usually don’t list them in the control panel.

2. Will the outbound IP change over time?

Yes, it’s possible. If your hosting provider moves your site to another node or updates their network, your outbound IP might change. If Mailgun or another service stops working suddenly, check it again.

3. Is it safe to share or whitelist my outbound IP?

Yes — outbound IPs are public and visible whenever your server makes requests. Whitelisting it simply tells external services to allow your traffic.

4. What happens if multiple sites on the same server use the same outbound IP?

That’s completely normal. Many websites on the same node will share the same outbound IP for outgoing connections.

5. How can I make sure my outbound IP doesn’t change?

You’ll need a dedicated hosting environment or VPS. Dedicated servers or cloud instances with static IPs (like AWS Elastic IPs) guarantee the same inbound and outbound address.

6. Why did my Mailgun API or SMTP connection suddenly stop working?

Mailgun updated their security in April 2024 to include outbound IP verification. If your site’s outbound IP isn’t on the allowlist, Mailgun will reject the connection with a “Forbidden” or “Authentication Failed” error. Simply add your current outbound IP to the IP Access Management section in Mailgun.

Final Thoughts

Understanding the difference between inbound and outbound IPs — and keeping your Mailgun allowlist updated — helps prevent unnecessary API and SMTP connection issues. Next time you see an authentication error, test your outbound IP and whitelist it. It’s a quick fix that keeps your email system running smoothly.

Explore Our Security Services

WordPress Malware Removal

Professional WordPress malware removal to clean, secure & restore your hacked site fast — trusted by 2300+ clients.

Custom Website Development

Build a custom, responsive & SEO-optimized website or web app with modern tech — tailored to your business goals.

Fix WordPress Errors

Diagnose and fix WordPress site issues — fatal errors, performance problems, broken layouts, plugin conflicts and more.

About the Author

MD Pabel

MD Pabel

MD Pabel is the Founder and CEO of 3Zero Digital, a leading agency specializing in custom web development, WordPress security, and malware removal. With over 7+ Years years of experience, he has completed more than3200+ projects, served over 2300+ clients, and resolved4500+ cases of malware and hacked websites.

3Zero DigitalLinkedInGitHubLeetCodeHackerRankMediumDev.toX (Twitter)