Back to Learning CenterEmail Authentication

How Do I Set Up SPF and DKIM for Mailgun?

By Samuel ChenardJuly 9, 20269 min read
How Do I Set Up SPF and DKIM for Mailgun?

To set up SPF and DKIM for Mailgun, add your domain in the Mailgun control panel (Sending → Domains → Add New Domain), then publish the two TXT records Mailgun generates: an SPF record containing v=spf1 include:mailgun.org ~all and a DKIM public key at a selector host such as mx._domainkey on your sending domain. Once DNS propagates, Mailgun marks the domain Verified and starts signing your mail. Use a subdomain like mg.yourdomain.com and your messages will also pass DMARC with the default relaxed alignment.

Quick Takeaways

  • Mailgun verifies a domain with two TXT records: SPF (v=spf1 include:mailgun.org ~all) and a DKIM public key.
  • Mailgun recommends sending from a subdomain such as mg.yourdomain.com for better deliverability.
  • The DKIM record lives at a selector host like mx._domainkey.mg.yourdomain.com — copy the exact name and value from your control panel.
  • An optional CNAME (email.mg.yourdomain.commailgun.org) enables open and click tracking.
  • A verified subdomain passes DMARC because relaxed alignment (the default) matches subdomains to the root.
  • Verification can take up to 24–48 hours; trigger a manual check under Domain settings → DNS records.

What DNS records does Mailgun require?

Mailgun's Domain Verification Setup Guide asks for two TXT records — one for SPF and one for DKIM — plus two MX records and a tracking CNAME. The two TXT records are what verification hinges on: they prove you own the domain and authorize Mailgun's servers to send for it.

Table of Mailgun DNS records: SPF TXT, DKIM TXT at mx._domainkey, two MX records at priority 10, and the tracking CNAME for mg.yourdomain.com. Copy exact hostnames and values from your Mailgun control panel.
RecordHost (example)ValuePurpose
TXT (SPF)mg.yourdomain.comv=spf1 include:mailgun.org ~allAuthorizes Mailgun's servers
TXT (DKIM)mx._domainkey.mg.yourdomain.comk=rsa; p=... (unique key from Mailgun)Lets receivers validate your signature
MX (x2)mg.yourdomain.commxa.mailgun.org and mxb.mailgun.org, priority 10Routes replies and inbound mail to Mailgun
CNAMEemail.mg.yourdomain.commailgun.orgEnables open and click tracking

Verifying is worth doing immediately: per Mailgun's docs, unverified domains carry a 300-message daily limit and show a "sent via Mailgun.org" note to recipients.

Should you use a subdomain or your root domain?

Mailgun recommends a dedicated sending subdomain — its setup guide's example is mail.yourdomain.com, and its DNS FAQ uses mg. subdomains in its examples. Any subdomain you control works. Your From address does not change: you still send as you@yourdomain.com while the subdomain handles the plumbing underneath.

A subdomain is the better choice for three practical reasons:

  1. Reputation separation. Bulk and transactional traffic builds its own sending history without dragging your root domain's reputation along.
  2. No record conflicts. The root domain of a business almost always has an existing SPF record and MX records for Microsoft 365 or Google Workspace. A fresh subdomain starts empty, so you can paste Mailgun's records without merging anything or breaking inbound mail.
  3. Easier multi-service management. If you run email for clients as an MSP, a mg. subdomain per client domain keeps each platform's records isolated and auditable.
A root-domain setup is supported too — the main difference is that you must merge include:mailgun.org into the existing SPF record instead of creating a new one, and you should not add Mailgun's MX records if the domain already receives mail elsewhere.

How do you add the Mailgun SPF record?

  1. Log in to the Mailgun control panel, expand Sending in the left navigation, and click Domains.
  2. Click Add New Domain, enter your sending domain (for example mg.yourdomain.com), and click Add Domain.
  3. Mailgun shows the DNS records to publish. In your DNS host, create the SPF record on the sending domain:
Type:  TXT
Host:  mg.yourdomain.com
Value: v=spf1 include:mailgun.org ~all

If you are setting up the root domain and it already has an SPF record, do not create a second one — a hostname can only have one. Insert include:mailgun.org into the existing record anywhere after v=spf1 and before ~all — with a space on each side — as shown in Mailgun's DNS FAQ:

v=spf1 ip4:1.2.3.4 include:smtp.domain.tld include:mailgun.org ~all

Keep the merged record under SPF's limit of 10 DNS lookups, or receivers will return a permerror. You can confirm the record resolves and stays within the limit with Palisade's free SPF checker.

How do you add the Mailgun DKIM record?

Mailgun generates the DKIM key pair for you. It keeps the private key and gives you a TXT record containing the public key. The record name combines a selector with _domainkey and your sending domain — the current setup guide's example is mx._domainkey.mail.yourdomain.com, but the selector varies by domain (you can even set a custom one through the API), so always copy the exact hostname and value from the control panel:

Type:  TXT
Host:  mx._domainkey.mg.yourdomain.com
Value: k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4... (copy the full key from Mailgun)

Two details worth knowing, both from Mailgun's DKIM security documentation:

  • Key length. Mailgun supports 1024-bit and 2048-bit keys. 2048 is stronger, but the record value is significantly longer, which some DNS panels handle awkwardly.
  • Automatic Sender Security. Instead of a static TXT record, you can delegate DKIM with two CNAMEs (pdk1._domainkey and pdk2._domainkey pointing at Mailgun-hosted keys). Mailgun then rotates your keys automatically, every 120 days by default.
If the dashboard lists several DKIM keys and some sit in an "Unverified" state, that is expected — extra keys appear during rotation, and only the active key needs to validate. Our guide to managing multiple DKIM records explains how selectors let keys coexist. After publishing, confirm the signature validates with Palisade's DKIM checker.

How do you verify your domain in the Mailgun dashboard?

Once the records are live, Mailgun's system checks them periodically and emails you when the domain flips to Verified. Propagation can take 24–48 hours, though it is usually much faster. To check manually:

Five steps to verify a Mailgun sending domain, from adding the domain in the control panel to confirming DMARC alignment with external checks. Mailgun also emails you automatically when the domain flips to Verified.
  1. In the control panel, expand Sending and click Domain settings.
  2. Open the DNS records tab.
  3. Pick the right domain in the Domain drop-down at the top right.
  4. Click Check status (Mailgun's setup guide calls the same control the Check DNS Records Now button on the DNS Settings page).
If Mailgun still reports records as missing, query DNS from the outside rather than trusting your provider's panel. Palisade's DNS lookup tool shows exactly what public resolvers see for each hostname, which catches typos and propagation lag quickly.

How does the setup affect DMARC alignment?

DMARC doesn't just require SPF or DKIM to pass — the domain that passed has to align with the domain in the visible From header.

Here is how a Mailgun subdomain setup plays out when you send as you@yourdomain.com through mg.yourdomain.com:

  • SPF: the Return-Path (envelope from) is on mg.yourdomain.com, which is what SPF authenticates. Under relaxed alignment — DMARC's default — mg.yourdomain.com and yourdomain.com share the same organizational domain, so SPF aligns and DMARC passes.
  • DKIM: Mailgun signs with the DKIM authority set for your sending domain. Its DNS FAQ notes that when the subdomain and the root domain are both set up in your Mailgun account, Mailgun defaults the subdomain's DKIM authority to the root domain (you can overrule this via the API). Either way the signing domain shares your From domain's organizational domain, so DKIM aligns under relaxed alignment — and when the authority is the root domain, under strict alignment too.
The place this breaks is strict alignment. If your DMARC record sets aspf=s, SPF alignment demands an exact match between yourdomain.com and mg.yourdomain.com, which fails. Leave alignment relaxed unless you have a specific reason not to — our guide to aspf, adkim, and subdomain policies covers when strict mode makes sense. After your first sends, run your domain through Palisade's DMARC checker and watch your reports to confirm Mailgun traffic shows as aligned.

Common issues

The domain stays Unverified. Usually propagation (up to 24–48 hours) or a copy-paste error. Verify each hostname with dig or an external lookup, then click Check status. Records must match Mailgun's values exactly.

SPF was added on the wrong host. The SPF record belongs on the sending domain — mg.yourdomain.com — not on the root (and not the other way around). A related trap from Mailgun's DNS FAQ: some DNS panels auto-append your domain to the host field, silently creating mg.yourdomain.com.yourdomain.com. If a lookup on the expected hostname returns nothing, this is the first thing to check.

Two SPF records on one hostname. A second v=spf1 record doesn't add authorization — it invalidates both. Merge every mechanism into a single record.

A CNAME sits on the same hostname. DNS gives CNAMEs precedence, so a CNAME on your sending domain masks the SPF TXT record and verification fails. Remove the CNAME or pick a different subdomain for Mailgun.

DMARC fails on the shared sandbox domain. Every account starts with a sandboxXXXX.mailgun.org domain, which Mailgun states is for testing only (it only delivers to up to five authorized recipients). Mail sent from it authenticates mailgun.org, not your domain, so nothing aligns — at p=quarantine or p=reject those messages fail DMARC. Move real traffic to a verified custom domain.

SPF passes but DKIM fails alignment. If reports show an aligned SPF pass but a misaligned DKIM signature (or d=mailgun.org), check which domain the message was actually sent through and review why DKIM signatures fail alignment.

Frequently asked questions

Do I need Mailgun's MX records if I only send email?

The MX records route inbound mail for the sending subdomain — replies and bounce handling — to Mailgun. Add them on the subdomain as instructed, since it typically receives no mail otherwise. But never add Mailgun's MX records to a root domain that already receives mail through Microsoft 365, Google Workspace, or another host: MX changes there would redirect your business email.

Which DKIM selector does Mailgun use?

There is no single fixed selector. Mailgun's current guide shows mx._domainkey in its example, accounts with Automatic Sender Security use pdk1/pdk2 CNAMEs, and the API lets you set any custom selector. Treat the control panel's DNS records page as the source of truth and copy the hostname exactly.

Is the tracking CNAME required?

No — verification rests on the SPF and DKIM TXT records. The CNAME exists to enable open and click tracking, and Mailgun recommends it if you want engagement data. Skip it if you don't use open or click tracking, or you measure engagement somewhere else.

I already send through other platforms — will Mailgun's records conflict?

Not if you keep them scoped. DKIM keys never conflict because each service publishes under its own selector. SPF only collides on a shared hostname, which is another argument for giving Mailgun its own subdomain. The pattern is the same one we walk through for Amazon SES and Klaviyo: one subdomain or selector per service, one DMARC policy at the root watching them all.

Share this article

Samuel Chenard

Written by

Samuel Chenard

CEO & Co-Founder, Palisade

Samuel Chenard is the CEO and co-founder of Palisade, the DMARC automation platform for MSPs. He writes Palisade's guides on DMARC, SPF, DKIM and email deliverability.

More from Samuel

Related articles