Josh CTO of Mailgun here - In this example, there is no actual sharing of domain reputation with other customers. Most inbox providers base reputation on the DKIM domain, which in this case is "sandbox.mgsend.net" not the header from address.
Each message is uniquely signed by the sending domain belonging to the account owner, meaning that the domain reputation cannot be borrowed/shared between customers.
Josh/CTO of Mailgun here - I took a look at this case and these messages were being sent from the sandbox feature of our service. The sandbox only allows messages to be sent to "authorized recipients" through an opt-in mechanism, which makes it impractical for spamming and phishing. The purpose of this feature is to allow customers to get comfortable with the interfaces and test the product in a safe way without having to add DKIM/SPF records. I reviewed these messages and confirmed there is no illicit behavior, likely just a misconfiguration from a user of radiotoolbox.
If this is a recent occurrence, I'd be happy to have our application security team take a look. To be clear, there hasn't been any kind of breach, but our customers are often targeted in phishing schemes that results in the disclosure of account credentials. We're continually adapting our defenses, but this is responsible for the majority of credential leaks.
Thoma Bravo has been a great partner for us. Our management team has maintained a high level of autonomy in driving the vision and strategy of the company including the decision to pursue this acquisition. There is a tremendous network current/past companies with a wealth of experience that we've been able to draw from that already has proven to be incredibly valuable as we continue to scale the company.
We're really excited about MJML. Creating messages that render properly on all email clients is challenging and MJML solves the problem in a very developer friendly way. You should expect MJML and the Passport editor to be integrated into Mailgun in the near future!
Can you email your ticket number to [email protected] and I'll take a look? This definitely isn't typical and I'll get this resolved immediately for you.