Mailgun SPF and DKIM setup

What you are setting up

Mailgun sends your application mail from a sending subdomain you authenticate, by convention something like mail.yourdomain.com. You publish SPF and DKIM on that subdomain so Mailgun's mail authenticates and aligns, and the one thing you have to get right afterward is sending from the right domain. Mailgun also runs a US and an EU region, and a few of the records differ between them, so always copy the exact values your dashboard shows.

Add the sending domain

In Mailgun, go to Send > Sending > Domains > Add New Domain. Add a subdomain (Mailgun's own example is mail.yourdomain.com) and pick your region (US or EU). Mailgun then shows you the DNS records to publish on that subdomain.

Publish SPF, DKIM, and tracking

The core records, all on the sending subdomain:

Type:  TXT     (SPF)
Host:  mail.yourdomain.com
Value: v=spf1 include:mailgun.org ~all

Type:  TXT     (DKIM, the common setup)
Host:  mx._domainkey.mail.yourdomain.com
Value: k=rsa; p=MIGfMA0GCSq... (the key Mailgun shows you)

Type:  CNAME   (open and click tracking)
Host:  email.mail.yourdomain.com
Value: mailgun.org        (EU region: eu.mailgun.org)

Two notes that save real debugging time. First, the DKIM selector is mx (not smtp, which is a different provider's convention); newer Mailgun domains using its Automatic Sender Security instead show two CNAME records at pdk1._domainkey and pdk2._domainkey that Mailgun rotates for you. Publish whichever pair Mailgun shows you, and copy the values exactly. Second, the tracking CNAME target differs by region (mailgun.org for US, eu.mailgun.org for EU). The two MX records Mailgun lists (mxa.mailgun.org / mxb.mailgun.org) are only needed if you want Mailgun to receive mail; a pure sending setup can skip them.

If your root domain already has an SPF record, that is fine: this SPF record lives on the subdomain, which has its own SPF, so there is no conflict with the root.

Send from the subdomain (or its root)

Because you authenticated mail.yourdomain.com, your from address has to be on that subdomain or its root domain (yourdomain.com) for DMARC to align under relaxed alignment. The common mistake is authenticating the subdomain and then sending from a different, unauthenticated domain, in which case Mailgun's signature does not align and DMARC fails. Keep adkim and aspf relaxed (the default) unless your from address is exactly on the subdomain.

Add DMARC

Standard _dmarc TXT record at your root domain, nothing Mailgun-specific. Start in monitor-only mode and ramp up:

Type:  TXT
Host:  _dmarc
Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Build it with our DMARC builder and move past p=none when your reports are clean.

The Mailgun gotcha

The number-one Mailgun failure is sending from your root domain after authenticating only a subdomain. Mail from you@yourdomain.com is not signed by a mail.yourdomain.com setup, so it fails alignment. Either send from the subdomain (or its root, with relaxed alignment), or authenticate the domain you actually send from. The other usual suspect is the DNS host appending your domain to the record name; enter the host exactly as Mailgun shows it and check it is not doubled.

Confirm it worked

• Verify in Mailgun.The domain's DNS records page turns green once everything resolves.
• Send a test and read the headers. Send through Mailgun, open the message, and confirm the DKIM signature and dmarc=pass. Our header analyzer reads it back plainly.
• Watch the reports. Mailgun should appear as an aligned, passing source in your DMARC aggregate reports. trustyourinbox flags it as a known sender so a stream sent from the wrong domain stands out.