Two-Factor Authentication and Blacklist Webhooks

It's not Friday, but it's still time for some features! We've added two-factor authentication so you can protect your Mandrill account using Google Authenticator or YubiKey, and we've added blacklist webhooks so you can sync your Mandrill blacklist with your internal application database.

Two-Factor Authentication

For many applications, email is the most common and sometimes only way they talk to their users. An attacker seeing the contents of those messages or sending phishing emails can be devastating. To add another layer of security protecting your account, we now support two-factor authentication using Google Authenticator or YubiKey.

Adding two-factor authentication is simple. On the Username & Contact Information page, you choose the authentication service you'd like to use under Account security. Scan the Google Authenticator barcode or press the button on your YubiKey to connect your device.

That's it - from that point on all future logins will require access to your mobile device or YubiKey before being accepted. You can also get more detailed instructions in the knowledge base.

Blacklist Webhooks

Mandrill maintains a blacklist of email addresses that have bounced, unsubscribed, or generated spam complaints for your account, so that we can reject mail to those addresses without requiring you to maintain a blacklist in your own database. Sometimes, though, you might want fast, local access to your blacklist data, without having to run an export or query the API for individual addresses. To help with this, we've added two new webhook event types, blacklist and whitelist, so you can synchronize your Mandrill blacklist with your own local copy of the data.

We'll generate these events when an address is added to or removed from your blacklist or whitelist, or when a blacklist entry's duration is extended. These events show up in the mandrill_events POST parameter, like any other webhook event. However, because they relate to a specific blacklist entry instead of a message, the internal format of the new events is different from other webhook events. More detailed information about the webhook format is available here.

Synchronizing your blacklist is entirely optional. If you're just interested in sending or receiving email, you probably don't need to worry it at all. But if you want to integrate your blacklist more deeply with your data model, or you want to use your blacklist for more advanced reporting and analytics, these new event types will be very useful.