# Looking for a Mailgun alternative?

> Mailgun encrypts at rest under platform-held keys; Email Fast lets you hold your own. A Mailgun-compatible endpoint keeps your code. Compared honestly.

Canonical: https://emailfast.dev/compare/mailgun-alternative

Mailgun is established, certified infrastructure under Sinch: SOC 2 Type II, ISO
27001, AES-256 encryption at rest. The comparison turns on three words in that last
item — under platform-held keys — and on what sits behind upper-tier gates: SSO and
deliverability tooling. Email Fast hands key custody to you, ships the same
deliverability engineering on every plan, and accepts your Mailgun SDK unchanged, so
finding out costs a base URL.

## The comparison

| | Mailgun | Email Fast |
|---|---|---|
| Key custody | AES-256 at rest, platform-held keys | organizations can bring their own encryption keys — enroll, rotate, suspend, or revoke — and revocation fails closed: new sends are rejected and stored secrets become unreadable, to us included |
| Certifications | SOC 2 Type II and ISO 27001 | None yet — open [security page](/security) |
| Ownership | Sinch | Independent |
| Free tier | 100 emails/day | 2,500 emails/month, never expires |
| Paid entry | Basic from $15/month | Starter, $9.90/month for 20,000 emails ([pricing](/pricing)) |
| Tier gating | SSO and deliverability tooling on upper tiers | SSO is enterprise-tier here too; deliverability engineering is not — every plan sends through the same infrastructure |
| Drop-in migration | — | SendGrid-, Mailgun-, and Postmark-compatible endpoints: point your existing SDK at a new base URL with a new key and keep your code |

## Keys, in practice

“Encrypted at rest” is table stakes; the question is who can decrypt. Mailgun's
documentation answers it plainly: the platform. The other answer is the one we built:
organizations can bring their own encryption keys — enroll, rotate, suspend, or revoke — and revocation fails closed: new sends are rejected and stored secrets become unreadable, to us included. Erasure follows custody, too: GDPR erasure by crypto-shred: destroying a key destroys the data it protected, without corrupting the tamper-evident audit ledger. More for security
teams: [enterprise](/enterprise).

## Where Mailgun is the right choice

- **You need certification today.** SOC 2 Type II and ISO 27001, held and current — we can't match that yet.
- **You're building on Sinch's communications stack** and want one vendor across channels.
- **Vendor maturity matters.** An established platform against our early access is a fair thing to weigh against us.

## Switching

The Mailgun-compatible endpoint accepts your existing `/v3/:domain/messages` calls —
swap the base URL and the key. Start with a [sandbox key](/get-started):
sandbox keys (ef_sandbox_…) that run the real pipeline dry: real validation, real rendering, real events, a hosted capture inbox — and no email leaves. Live delivery opens at launch. The full path:
[/migrate/mailgun](/migrate/mailgun).

*Mailgun is a trademark of its owner; Email Fast is not affiliated with or endorsed by them. Facts about Mailgun were verified on their public pages on the date above — corrections: [hello@emailfast.dev](/contact).*

## Is Mailgun certified?

Yes: SOC 2 Type II and ISO 27001 per their site, under Sinch's ownership. Email Fast holds no third-party attestation yet — the security page says exactly which we lack, why we won't borrow badges, and what we ran instead — a 19-stage adversarial security review, run to zero confirmed findings. That review was internal and adversarial — a documented find→refute→fix→re-verify loop — not a third-party audit. We say exactly which one we have.

## What does platform-held vs customer-held actually change?

Who can decrypt. With platform-held keys, the vendor encrypts and can always decrypt. With ours: organizations can bring their own encryption keys — enroll, rotate, suspend, or revoke — and revocation fails closed: new sends are rejected and stored secrets become unreadable, to us included.

## Is Mailgun cheaper?

No — entry pricing now favors us: Mailgun's Basic starts at $15; our Starter is $9.90 a month for 20,000 emails. And on top of volume, contacts and subscribers are never billed — we price sending, not the size of your audience.

## Do I have to rewrite my Mailgun integration?

No: SendGrid-, Mailgun-, and Postmark-compatible endpoints: point your existing SDK at a new base URL with a new key and keep your code. Existing /v3/:domain/messages calls work unchanged. The walkthrough: /migrate/mailgun .
