Sinch Mailgun is a transactional email API service for developers. This guide covers the complete email authentication stack for Mailgun: SPF, DKIM, and DMARC. Each section gives you the exact DNS records, step-by-step instructions, common pitfalls, and how to verify your setup.
Authorize Mailgun to send transactional email on behalf of your domain by adding the correct SPF include.
TXT
@
v=spf1 include:mailgun.org ~all
Add include:mailgun.org to your existing SPF record.
Go to app.mailgun.com and sign in.
Navigate to Sending > Domains > Add New Domain. Enter your domain (or a subdomain like mg.yourdomain.com).
Mailgun will display the DNS records you need. The SPF record uses include:mailgun.org.
Add include:mailgun.org to your existing SPF record, or create a new one.
v=spf1 include:mailgun.org ~allClick "Verify DNS Settings" in Mailgun. It will check all required records.
v=spf1 include:_spf.google.com ~allv=spf1 include:_spf.google.com include:mailgun.org ~allAdd include:mailgun.org to your SPF record. If you send from a subdomain like mg.yourdomain.com, add the SPF record to that subdomain.
Yes. Mailgun recommends using a subdomain (e.g., mg.yourdomain.com) to isolate transactional email reputation from your root domain.
Yes. Use a subdomain for Mailgun (e.g., mg.yourdomain.com with its own SPF) and keep your root domain SPF for Google Workspace.
Publish a DKIM TXT record provided by Mailgun to enable cryptographic email signing for your sending domain.
TXT
smtp._domainkey
v=DKIM1; k=rsa; p=YOUR_PUBLIC_KEY_FROM_MAILGUN
Mailgun generates a unique DKIM key for each domain. The default selector is smtp or a domain-specific selector.
Go to app.mailgun.com and sign in.
Go to Sending > Domains and select your verified domain.
Mailgun displays the DKIM TXT record with the selector and public key. Copy both the host name and value.
Create a TXT record in your DNS provider with the host and value from Mailgun.
smtp._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSq..."Click "Verify DNS Settings" in Mailgun. It will check the DKIM record.
Mailgun typically uses smtp as the DKIM selector, but newer accounts may use different selectors. Check your Mailgun domain settings for the exact selector.
Mailgun uses a TXT record for DKIM containing the public key directly, unlike some providers that use CNAME records.
Yes. You can regenerate DKIM keys in the Mailgun dashboard. After regenerating, update the DNS TXT record with the new public key.
Publish a DMARC record to protect your domain when sending transactional email through Mailgun.
TXT
_dmarc
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1
If using a Mailgun subdomain, add the DMARC record to that subdomain: _dmarc.mg.yourdomain.com.
Ensure both SPF and DKIM are set up and verified in Mailgun for your sending domain.
Use Mailgun's API or SMTP to send a test message and check the Authentication-Results header for SPF and DKIM pass.
Add a TXT record at _dmarc.yourdomain.com (or _dmarc.mg.yourdomain.com if using a subdomain).
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1Review DMARC reports for 2-4 weeks to ensure Mailgun emails pass alignment.
Gradually move to p=quarantine and then p=reject.
If your root domain has a DMARC record, it applies to subdomains via the sp= tag (or defaults to the p= policy). You can add a separate DMARC record on the subdomain for a different policy.
Proper DMARC improves deliverability by signaling to receivers that you actively protect your domain. It only blocks email if authentication fails.
Send a test email via Mailgun, then inspect the email headers. Look for Authentication-Results showing dmarc=pass and verify the alignment mode (relaxed or strict).
Once your SPF, DKIM, and DMARC records are in place, run a full domain scan to confirm everything is configured correctly. DNS changes typically propagate within minutes but can take up to 48 hours.