Why MailMunch double-counted leads after a CRM webhook replay and the idempotency key change that stopped duplicate entries

Webhooks have become the backbone of real-time data synchronization between services. When MailMunch, a popular lead generation platform, experienced unexpected behavior after a CRM webhook replay, it highlighted just how intricate and delicate these systems can be. The incident led to double-counted leads—a serious issue for marketing teams relying on accurate analytics and automation triggers. Let’s explore how this happened, why it happened, and how MailMunch implemented a better idempotency mechanism to fix and future-proof the problem.

Contents

TLDR:

After a webhook replay from a CRM integration, MailMunch was found to be doubling lead entries due to the absence of a reliable idempotency key. Webhooks that were meant to be safe to resend ended up creating duplicate leads in the system. This issue was traced back to the way MailMunch processed requests, assigning new keys indiscriminately. A new idempotency strategy was implemented to ensure that replays could be safely handled without duplication.

Understanding Webhooks and Why They Replay

First, let’s break down what a webhook replay is. When systems exchange data via webhooks, the sender (CRM in this case) may resend a webhook for several reasons:

  • An acknowledgment wasn’t received
  • The request timed out
  • System retry policies kicked in due to temporary failure

These replays are expected behavior and are typically harmless—provided the receiving system can detect and ignore the duplicates. That’s where idempotency becomes essential.

What is Idempotency and Why It Matters

Idempotency in webhooks means handling the same request multiple times without causing unintended side effects. For example, if a lead submission webhook is sent twice, only one lead should be created. Without this property, each replay creates a fresh database record—even though it’s based on the same original user action. That’s exactly what happened at MailMunch.

The Problem: Double-Counted Leads After Replay

MailMunch integrated with a third-party CRM to receive new lead data. A routine webhook replay—meant to be safe—triggered the lead endpoint. However, users noticed something strange: lead counts were inflating. Here’s how it happened:

  1. The CRM sent a webhook for a new lead
  2. MailMunch recorded the lead as usual
  3. Due to a timeout, the CRM retried the webhook
  4. MailMunch recorded the same lead again, thinking it was new

This wasn’t a one-off error. Several automated replays from the CRM caused a flood of duplicated entries in user accounts, throwing off metrics, email campaigns, and segmentation.

Digging Deeper: How MailMunch Originally Handled Idempotency

Technically, MailMunch did attempt to make requests idempotent—but with a catch. The idempotency key was dynamically generated based on incoming payload timestamps and session details. Unfortunately, those values changed subtly during replay, either due to time-based fields being regenerated by the CRM or due to request headers being altered.

As a result, every webhook—even identical in content—had a different idempotency key. To MailMunch, Replay B looked like a completely different request than Original A.

Key Flaws in the Old Approach:

  • Dynamic idempotency keys: Prone to change on retry
  • Absence of client-generated unique identifiers: The CRM didn’t provide a guaranteed identifier (like a deduplication token)
  • No fallback protection: MailMunch lacked a secondary deduplication layer to catch near-identical payloads

The Fix: A Smarter Idempotency Key Strategy

Realizing that webhook replays are not rare events—and often necessary for resilience—MailMunch overhauled its webhook ingestion process. The engineering team adopted a new strategy based on better key derivation and optional client-supplied deduplication IDs.

Here’s what the new mechanism includes:

  1. Hashed content fingerprints: A SHA-256 hash of the payload is created without considering volatile fields like timestamps.
  2. Persistent stamping: If the CRM provides a unique webhook event ID, MailMunch stores and checks it against past records.
  3. Retry window caching: A cache stores recent webhook hashes for up to 15 minutes to catch potential duplicates.

This hybrid model ensures that even if the CRM retries the webhook or even replays it with minor changes, MailMunch can detect that it’s functionally the same event.

Benefits of the New System

The positive impact was immediate:

  • Lead overcounts dropped to zero during retests
  • Businesses saw proper segmentation and no extra email sends
  • Marketing teams regained confidence in metrics and attribution

Perhaps most importantly, it strengthened user trust that the system behaves in a predictable and intelligent manner, even when external systems behave erratically.

Lessons Learned From the Incident

This episode at MailMunch illustrates a few key lessons about modern SaaS integrations:

  1. Webhooks must be idempotent by design: You can’t rely on upstream systems to get it right every time.
  2. Idempotency isn’t just about keys: Sometimes, it’s about understanding the essence of a payload and ignoring what doesn’t matter.
  3. User trust hinges on invisible back-end logic: Even UI-perfect products can crumble if the system logic misbehaves beneath the surface.

Final Thoughts: Being Proactive With Webhook Idempotency

If you’re building any service that integrates with third-party systems, how you handle repeat events is critical. The MailMunch incident is a case study in hidden complexity—what seems like a minor data replay can result in cascading issues like inaccurate reporting, inflated billable metrics, and lost user trust.

From a developer’s perspective, this also highlights the importance of thinking defensively when dealing with external inputs:

  • Design request handlers with statelessness and repeatability in mind
  • Track prior requests using robust and entropy-resistant hashing strategies
  • Always assume that upstream systems might misbehave

Conclusion

MailMunch’s response to a webhook replay incident is an excellent example of how to turn a problem into a powerful improvement. By implementing a smarter idempotency key system—one grounded in content-based fingerprinting and short-term caching—they’ve significantly reduced the risk of duplicate leads cropping up in their system.

As we integrate more deeply across services and platforms, these kinds of safeguarding strategies will only grow in importance. The next time you implement a webhook, remember: it’s not whether you’ll get duplicates, it’s how gracefully you’ll handle them when they arrive.

You May Also Like...