// METHODOLOGY / WHY NO LIST

Why these services aren't listed

Twilio, Shopify, Slack, Mailgun, and SendGrid publish explicit guidance against IP-allowlisting. They expect cryptographic signature verification instead. Maintaining a fake list would silently break customers.

// NOT LISTED — AND WHY

use HMAC, not IPs

Twilio// USE HMAC

Twilio explicitly says do not IP-allowlist their webhooks. Use the request signature header to verify authenticity.

Official docs →

Shopify// USE HMAC

Shopify webhook IPs are not stable. Verify with the HMAC SHA256 signature in the X-Shopify-Hmac-Sha256 header.

Official docs →

Slack// USE HMAC

Slack does not publish a fixed outbound IP range. Verify using the signing secret and X-Slack-Signature header.

Official docs →

Mailgun// USE HMAC

Mailgun outbound IPs are per-account and rotated. Use webhook signature verification instead.

Official docs →

SendGrid// USE HMAC

SendGrid does not publish a global outbound IP list. Verify events using the signed event webhook.

Official docs →

// THE PRINCIPLE

authenticity ≠ origin

An IP allowlist tells you a request came from some machine in a known range. A signature tells you the request was signed by the right secret. The second guarantee is much stronger and works correctly under cloud egress changes, NAT, IPv6 rollout, and load-balancer rotation.

For the services above, the vendor explicitly recommends HMAC verification because their outbound IPs rotate without notice. Use the signing secret & verify the header — it's both more correct and easier to operate than a stale IP list.