diff --git a/app/Http/Controllers/BrevoController.php b/app/Http/Controllers/BrevoController.php
index 8cb666d244..ac6d9265cc 100644
--- a/app/Http/Controllers/BrevoController.php
+++ b/app/Http/Controllers/BrevoController.php
@@ -190,18 +190,7 @@ class BrevoController extends BaseController
     {
         $input = $request->all();
 
-        // validation for client mail credentials by recipient
-        if ($request->has('company_key')) {
-            if (!($request->has('token')))
-                return response()->json(['message' => 'Unauthorized'], 403);
-
-            MultiDB::findAndSetDbByCompanyKey($request->has('company_key'));
-            $company = Company::where('company_key', $request->has('company_key'))->first();
-            $company_brevo_secret = $company?->settings?->email_sending_method === 'client_brevo' && $company?->settings?->brevo_secret ? $company->settings->brevo_secret : null;
-            if (!$company || !$company_brevo_secret || $request->get('token') !== $company_brevo_secret)
-                return response()->json(['message' => 'Unauthorized'], 403);
-
-        } else if (!($request->has('token') && $request->get('token') == config('services.brevo.secret')))
+        if (!($request->has('token') && $request->get('token') == config('ninja.inbound_mailbox.inbound_webhook_token')))
             return response()->json(['message' => 'Unauthorized'], 403);
 
         if (!array_key_exists('items', $input)) {
diff --git a/app/Http/Controllers/MailgunController.php b/app/Http/Controllers/MailgunController.php
index 35f1c8388e..32bcac1799 100644
--- a/app/Http/Controllers/MailgunController.php
+++ b/app/Http/Controllers/MailgunController.php
@@ -126,12 +126,13 @@ class MailgunController extends BaseController
 
         // @turbo124 TODO: how to check for services.mailgun.webhook_signing_key on company level, when custom credentials are defined
         // TODO: validation for client mail credentials by recipient
-        if (\hash_equals(\hash_hmac('sha256', $input['timestamp'] . $input['token'], config('services.mailgun.webhook_signing_key')), $input['signature'])) {
-            ProcessMailgunInboundWebhook::dispatch($input["sender"] . "|" . $input["recipient"] . "|" . $input["message-url"])->delay(10);
+        $authorizedByHash = \hash_equals(\hash_hmac('sha256', $input['timestamp'] . $input['token'], config('services.mailgun.webhook_signing_key')), $input['signature']);
+        $authorizedByToken = $request->has('token') && $request->get('token') == config('ninja.inbound_mailbox.inbound_webhook_token');
+        if (!$authorizedByHash && !$authorizedByToken)
+            return response()->json(['message' => 'Unauthorized'], 403);
 
-            return response()->json(['message' => 'Success'], 201);
-        }
+        ProcessMailgunInboundWebhook::dispatch($input["sender"] . "|" . $input["recipient"] . "|" . $input["message-url"])->delay(10);
 
-        return response()->json(['message' => 'Unauthorized'], 403);
+        return response()->json(['message' => 'Success.'], 200);
     }
 }
diff --git a/app/Http/Controllers/PostMarkController.php b/app/Http/Controllers/PostMarkController.php
index ab3b9e74a5..1f59240a2d 100644
--- a/app/Http/Controllers/PostMarkController.php
+++ b/app/Http/Controllers/PostMarkController.php
@@ -275,17 +275,19 @@ class PostMarkController extends BaseController
 
         $input = $request->all();
 
+        if (!($request->has('token') && $request->get('token') == config('ninja.inbound_mailbox.inbound_webhook_token')))
+            return response()->json(['message' => 'Unauthorized'], 403);
+
         if (!(array_key_exists("MessageStream", $input) && $input["MessageStream"] == "inbound") || !array_key_exists("To", $input) || !array_key_exists("From", $input) || !array_key_exists("MessageID", $input)) {
             Log::info('Failed: Message could not be parsed, because required parameters are missing.');
             return response()->json(['message' => 'Failed. Missing/Invalid Parameters.'], 400);
         }
 
-        // // TODO: security
-        // if (!($request->header('X-API-SECURITY') && $request->header('X-API-SECURITY') == config('services.postmark.token')))
-        //     return response()->json(['message' => 'Unauthorized'], 403);
+        $inboundEngine = new InboundMailEngine();
 
-        if ((new InboundMailEngine())->isInvalidOrBlocked($input["From"], $input["To"])) {
+        if ($inboundEngine->isInvalidOrBlocked($input["From"], $input["To"])) {
             Log::info('Failed: Sender is blocked: ' . $input["From"] . " Recipient: " . $input["To"]);
+            $inboundEngine->saveMeta($input["From"], $input["To"]);
             return response()->json(['message' => 'Blocked.'], 403);
         }
 
@@ -309,12 +311,12 @@ class PostMarkController extends BaseController
             }
 
         } catch (\Exception $e) {
-            (new InboundMailEngine())->saveMeta($input["From"], $input["To"]); // important to save this, to protect from spam
+            $inboundEngine->saveMeta($input["From"], $input["To"]); // important to save this, to protect from spam
             throw $e;
         }
 
         // perform
-        (new InboundMailEngine())->handle($inboundMail);
+        $inboundEngine->handle($inboundMail);
 
         return response()->json(['message' => 'Success'], 200);
     }
diff --git a/config/ninja.php b/config/ninja.php
index 3a05f424e7..94933bce3b 100644
--- a/config/ninja.php
+++ b/config/ninja.php
@@ -239,6 +239,7 @@ return [
     'inbound_mailbox' => [
         'expense_mailbox_template' => env('EXPENSE_MAILBOX_TEMPLATE', null),
         'expense_mailbox_endings' => env('EXPENSE_MAILBOX_ENDINGS', '@expense.invoicing.co'),
+        'inbound_webhook_key' => env('INBOUND_WEBHOOK_KEY', null)
     ],
     'cloudflare' => [
         'turnstile' => [