[ufmace]

For 3. I'd say no way. There's no way for Mailgun to know what services are doing with those keys, how important those services are to their customers, how difficult it is for the service owners to rotate their keys, and how much bandwidth they have to do that right now.

In an ideal world, every customer would have a good setup where they can rotate third-party supplier API keys painlessly and have plenty of bandwidth to handle security emergencies. Alas, there's a lot of bad setups out there, and some of them are critical to their customers' operations.

Nothing I've personally worked with had a setup bad enough to make that painful, but I'd be very worried about how reckless a service is to rotate API keys that aren't being actively exploited to do something dangerous without getting a positive confirmation from the customer.