Just a quick question, mailgun has domain verification right? How can it be vulnerable.
Same goes for Google and many others

I updated README file at 15.06.2022 for Mailgun. Also you can check this closed issue. In a nutshell Mailgun was vulnerable but they have fixed.

Important Uptade (15.06.2022): Mailgun now requires DNS verification for all records(MX, TXT, CNAME) even only for mail receiving. Before fix, in order to receive mail was just enought MX verification. About three week ago, this was working but vulnerability have fixed now by mailgun. It was sending successfully when mail was sent before and you could access mail content from Maigun logs but now you are getting "relaying denied" error. If you try send you will get Remote Server returned '550 5.7.367 Remote server returned not permitted to relay -> 550 5.7.1 Relaying denied' error.

Oh sorry I completely missed that issue an the update 😅