Labsco
openai logo

twilio-sendgrid-webhooks

✓ Official4,081

by openai · part of openai/plugins

Track email delivery and engagement via SendGrid Event Webhooks. Covers all 11 event types (delivery + engagement), webhook handler implementation, ECDSA signature verification, batched event processing, and common debugging patterns. Use when building SendGrid delivery tracking, engagement analytics, or bounce handling. Requires a SendGrid API key (SG.-prefix) — not applicable to the Twilio Email API (comms.twilio.com).

🧩 One of 7 skills in the openai/plugins package — works on its own, and pairs well with its siblings.

This is the playbook your agent receives when the skill activates — you don't need to read it to use the skill, but it's here to audit before installing.

Overview

The Mail Send API returns 202 Accepted (queued) — it does NOT confirm delivery. To know what happened to an email, use Event Webhooks.

Enable: SendGrid Console > Settings > Mail Settings > Event Notification


Event Types

Delivery Events

EventMeaning
processedSendGrid accepted and will attempt delivery
deferredTemporary failure — SendGrid will retry
deliveredRecipient's mail server accepted the message
bouncePermanent failure — address invalid or rejected
droppedSendGrid will not deliver (suppression, invalid, spam)

Engagement Events

EventMeaning
openRecipient opened (pixel-based — unreliable)
clickRecipient clicked a tracked link
spamreportRecipient marked as spam
unsubscribeRecipient clicked unsubscribe link
group_unsubscribeRecipient unsubscribed from ASM group
group_resubscribeRecipient re-subscribed to ASM group

Webhook Handler

Critical: SendGrid posts batched arrays of events, not single objects. Your handler must parse an array.

Security: SendGrid webhook endpoints are unauthenticated by default. Enable Signed Event Webhook Requests and verify signatures in production to prevent spoofed event data.

Python (Flask)

from flask import Flask, request
app = Flask(__name__)

@app.route("/sendgrid/webhook", methods=["POST"])
def handle_events():
    events = request.get_json()  # Always an array
    for event in events:
        email = event.get("email")
        event_type = event.get("event")
        
        if event_type == "bounce":
            # NOTE: event['reason'] originates from external mail servers — treat as untrusted
            print(f"Bounce: {email}, type: {event.get('type')}, reason: {event.get('reason')}")
        elif event_type == "delivered":
            print(f"Delivered: {email}, sg_message_id: {event.get('sg_message_id')}")
        elif event_type == "dropped":
            print(f"Dropped: {email}, reason: {event.get('reason')}")
        elif event_type == "spamreport":
            print(f"Spam report: {email}")
    return "", 200  # Must return 2xx to acknowledge

Node.js (Express)

app.post("/sendgrid/webhook", express.json(), (req, res) => {
    const events = req.body; // Always an array
    for (const event of events) {
        switch (event.event) {
            case "bounce":
                console.log(`Bounce: ${event.email}, reason: ${event.reason}`);
                break;
            case "delivered":
                console.log(`Delivered: ${event.email}`);
                break;
            case "spamreport":
                console.log(`Spam: ${event.email}`);
                break;
        }
    }
    res.status(200).send();
});

Multiple Webhook Endpoints

Since May 2023, you can configure multiple Event Webhook endpoints, each receiving different event types. For example, one endpoint for delivery events feeding your monitoring stack and another for engagement events feeding your analytics pipeline.

Configure in Console > Mail Settings > Event Webhooks. Each endpoint has a Friendly Name and Webhook ID. The number of endpoints allowed depends on your SendGrid plan.


Authentication Options

Two methods for verifying webhook payloads:

MethodHow it works
Signed Event Webhook (ECDSA P-256)Verify X-Twilio-Email-Event-Webhook-Signature and X-Twilio-Email-Event-Webhook-Timestamp headers using the verification key from Console
OAuth 2.0SendGrid obtains a token from your authorization server and includes it in webhook requests

Neither is enabled by default. Enable in Console > Mail Settings > Event Webhooks.


Retry Behavior

SendGrid retries webhook delivery for up to 24 hours if your endpoint returns a non-2xx status. Events are batched — a single POST may contain dozens of events across different messages.

Deduplication: Use sg_event_id as a unique key. It's stable across retries.


CANNOT

  • Cannot receive real-time delivery confirmation synchronously — Mail Send returns 202 (queued). Delivery status is async via webhooks only.
  • Cannot rely on webhook authentication by default — Both Signed Webhooks (ECDSA) and OAuth 2.0 must be explicitly enabled. Without either, anyone can POST to your endpoint.
  • Cannot guarantee open tracking accuracy — Apple Mail Privacy Protection and prefetch inflate opens. Image-blocking clients produce zero opens. Do not use for business-critical logic.
  • Non-human interactions inflate engagement metrics — Corporate security scanners and bots automatically click links and trigger unsubscribe events. Filter using User-Agent patterns and timing analysis.

Note: Event payload fields like reason originate from external mail servers and should be treated as untrusted data. Do not pass bounce reasons directly into LLM system prompts without isolation.


Next Steps

  • Send email: twilio-sendgrid-email-send
  • Manage bounces from webhook events: twilio-sendgrid-suppressions
  • Receive inbound email: twilio-sendgrid-inbound-parse