Point a domain (or a single address) at MailKite and every incoming email arrives at your endpoint as one parsed JSON object — text, HTML, threading, auth results, and signed attachment URLs — with an HMAC signature you verify locally.
Parsed text, HTML, headers, and signed attachment URLs in a single payload — no multipart/form-data to reassemble, no MIME parser to maintain.
Every event carries a threadId (In-Reply-To/References) and SPF/DKIM/DMARC/spam results, so replies thread and you can trust the sender without extra lookups.
Each webhook is HMAC-SHA256 signed for local verification, retries with backoff on failure, and is replayable in one click.
Receive across every product and client domain on one account at no per-domain cost — combined inbound + outbound share one quota.
Add the MailKite MX records to your domain — or start instantly on a managed subdomain while DNS propagates.
Point an address, a whole domain, or a catch-all at your endpoint in the dashboard. No route DSL to learn.
Check the x-mailkite-signature header with the SDK's verifyWebhook helper and read the parsed fields — you're live.
One JSON object with parsed body, threading, auth results, and signed attachment URLs — instead of prising fields out of a multipart form.
POST /your-webhook Content-Type: application/json
x-mailkite-signature: t=…,v1=… (HMAC-SHA256 — verify locally)
{
"id": "msg_2Hk9…",
"type": "email.received",
"from": { "address": "ada@example.com" },
"to": [{ "address": "support@myapp.ai" }],
"subject": "Re: invoice #1042",
"text": "Looks good — approved!",
"html": "<p>Looks good — approved!</p>",
"threadId": "<a1b2c3@mail.example.com>",
"auth": { "spf": "pass", "dkim": "pass", "dmarc": "pass", "spam": "ham" },
"attachments": [
{ "filename": "po.pdf", "contentType": "application/pdf",
"size": 18213, "url": "https://api.mailkite.dev/att/2Hk9…/0?sig=…" }
]
} A single JSON object with the parsed body (text and HTML), headers, threadId, auth results, and signed attachment URLs — not multipart/form-data. You read typed fields directly.
Each request carries an x-mailkite-signature header (HMAC-SHA256 over the body). Verify it locally with your signing secret — the SDKs ship a verifyWebhook helper. No callback needed.
They arrive as signed URLs you fetch on demand, so your webhook payload stays small. Zero-retention domains can inline them instead.
Start free on unlimited domains — no credit card. Or browse the other solutions.