Webhooks

Email Webhooks

Real-time notifications for email events. Get instant delivery, bounce, open, click, and complaint data pushed to your endpoint.

How it works

1

Email event occurs

An email is sent, delivered, bounced, opened, clicked, or receives a complaint.

2

Transmit captures

The event is captured, transformed into a clean payload, and enriched with your message metadata.

3

Webhook dispatched

An HMAC-SHA256 signed POST request is sent to your configured endpoint. Payloads use Transmit event names and your message IDs.

4

Your server handles

Verify the X-Xmit-Signature header, process the event, and return a 200 status. Build automations on any email event.

Capabilities

6 Event Types

Subscribe to email.sent, email.delivered, email.bounced, email.complained, email.opened, and email.clicked. Each event includes full message context.

HMAC-SHA256 Signatures

Every webhook payload is signed with your secret key. Verify the X-Xmit-Signature header to confirm the request came from Transmit.

Secret Rotation

Rotate your webhook signing secret at any time via the API or dashboard. The new secret takes effect immediately.

Selective Subscription

Subscribe to only the events you care about. Reduce noise by filtering to bounces and complaints, or track everything.

Webhook Handler (Node.js)

javascript
import crypto from "crypto";

app.post("/webhooks/email", (req, res) => {
  // Verify HMAC-SHA256 signature
  const sig = req.headers["x-xmit-signature"];
  const expected = "sha256=" + crypto
    .createHmac("sha256", process.env.WEBHOOK_SECRET)
    .update(JSON.stringify(req.body))
    .digest("hex");

  if (sig !== expected) {
    return res.status(401).send("Invalid signature");
  }

  const { event, data } = req.body;

  switch (event) {
    case "email.delivered":
      console.log(`Delivered to ${data.recipient}`);
      break;
    case "email.bounced":
      // Remove invalid address
      await removeContact(data.recipient);
      break;
    case "email.complained":
      // Unsubscribe immediately
      await unsubscribe(data.recipient);
      break;
  }

  res.status(200).send("OK");
});

Related features

Frequently Asked Questions

What webhook events are available?
Six event types: email.sent (accepted for delivery), email.delivered (reached inbox), email.bounced (hard or soft bounce), email.complained (spam report), email.opened (pixel tracked), and email.clicked (link tracked). Each includes the message ID, recipient, timestamp, and event-specific data.
How do I verify webhook signatures?
Compute an HMAC-SHA256 hash of the raw request body using your webhook secret. Compare the result to the X-Xmit-Signature header, which contains 'sha256=' followed by the hex digest.
Can I subscribe to specific events only?
Yes. When configuring your webhook endpoint, you select which event types to receive. For example, you might only want bounced and complained events to maintain your contact list hygiene.
How do I rotate my webhook secret?
Use the rotate-secret endpoint or click Rotate Secret in the dashboard. The new secret takes effect immediately. Update your verification code to use the new secret.
What happens if my endpoint is down?
Transmit tracks consecutive delivery failures per endpoint. After 10 consecutive failures, the endpoint is automatically disabled to prevent unnecessary load. Re-enable it from the dashboard or API after fixing the issue.
Get started in minutes

Start sending with Transmit

Set up in minutes. Volume-based pricing starts at $2/month.