Events in real time.

• delivered - the recipient server accepted the message
• bounced - rejected permanently (hard) or temporarily (soft)
• deferred - the recipient asked us to retry later
• opened - tracking pixel loaded (best-effort)
• clicked - a tracked link was clicked
• complaint - user marked it as spam
• unsubscribe - user clicked the unsubscribe link

Every webhook request includes the header X-Target-Signature: t=1715688000,v1=abc123.... To verify:

$payload = $ts . '.' . $rawBody;
$expected = hash_hmac('sha256', $payload, $WEBHOOK_SECRET);
if (!hash_equals($expected, $signature)) abort(401);

Reject requests whose timestamp is older than 5 minutes to prevent replay attacks.

If your endpoint doesn't reply with 2xx within 10 seconds, we retry with exponential backoff: 30s, 2m, 10m, 30m, 1h, 2h, 4h. After 7 failed attempts the event is marked as failed and retained for 30 days for manual replay from the panel.

{
  "id":          "evt_8f4b...",
  "type":        "bounced",
  "occurred_at": "2026-05-14T10:23:00Z",
  "message": {
    "id":      "msg_a1b2c3",
    "from":    "noreply@yoursite.com",
    "to":      "user@example.com",
    "subject": "Welcome"
  },
  "bounce": {
    "type":   "hard",
    "code":   "550",
    "reason": "5.1.1 The email account does not exist"
  }
}