Mailgun sends from a dedicated subdomain, and that one detail changes where every DNS record goes. The SPF include:mailgun.org and the mx._domainkey DKIM TXT record belong on your sending subdomain (for example mail.yourdomain.com), not on your root domain. Get the host names right, wait for propagation, add a DMARC record at the root, and your mail authenticates cleanly.
Reads public DNS only. Nothing is stored unless you save the domain to an account.
This guide covers the exact records Mailgun asks for, how to merge SPF if your root already has a record, the optional tracking records, and a final verification pass so you know DKIM and SPF both pass before you send real volume.
Why Mailgun uses a sending subdomain
When you add a domain in the Mailgun dashboard, it does not ask you to authenticate yourdomain.com directly. It asks for a subdomain, usually something like mail.yourdomain.com or mg.yourdomain.com. This is deliberate and it is good practice.
A dedicated sending subdomain isolates your transactional and marketing traffic from the mailboxes your staff use on the root domain. Reputation on the subdomain is built and tracked separately, so a bad campaign does not drag down your corporate email, and Google Postmaster Tools can report on the subdomain on its own. It also keeps your DNS clean: the Mailgun records live under the subdomain and never collide with the SPF or MX records your normal mail provider already publishes at the root.
The catch is that people paste Mailgun's records at the root by habit. If you put include:mailgun.org in the SPF record at yourdomain.com when Mailgun is sending as mail.yourdomain.com, the receiving server checks the subdomain's SPF, finds nothing, and SPF fails. Host names matter more than values here.
Add the SPF record on the sending subdomain
Mailgun's SPF include tells receivers that Mailgun's IP ranges are allowed to send for your subdomain. Publish a TXT record on the subdomain itself.
- Host / name:
mail.yourdomain.com(or whatever subdomain Mailgun assigned) - Type:
TXT - Value:
v=spf1 include:mailgun.org ~all
Use ~all (softfail) as Mailgun recommends, not -all, until you have confirmed nothing else sends as that subdomain. If you host DNS at Cloudflare, Route 53, GoDaddy, or Namecheap, enter the subdomain in the name field exactly as shown; some panels append the root domain automatically, so mail becomes mail.yourdomain.com. Check the panel's preview before saving.
Merging into an existing root SPF record
If you decided to send from the root domain instead of a subdomain, or the subdomain already carries an SPF record from another service, you cannot publish two SPF records on the same name. A domain is allowed exactly one v=spf1 TXT record. Publishing a second one is a permanent error that fails SPF for everyone.
Merge the include into the single existing record instead. If your root already reads v=spf1 include:_spf.google.com ~all, the combined record becomes:
v=spf1 include:_spf.google.com include:mailgun.org ~all
Keep one v=spf1 at the start and one all mechanism at the end. Every include counts toward SPF's hard limit of ten DNS lookups, so if you already stack several providers, watch that ceiling. Our guide on SPF too many DNS lookups explains how to stay under it, and SPF records for a subdomain covers the host-name mechanics in more detail.
Add the DKIM TXT record
DKIM signs each message with a private key held by Mailgun; the matching public key lives in your DNS so receivers can verify the signature. Mailgun publishes the public key as a TXT record under a selector on your sending subdomain.
- Host / name:
mx._domainkey.mail.yourdomain.com - Type:
TXT - Value:
k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ...(the long key string Mailgun shows you)
The selector mx is Mailgun's common default, but newer accounts and 2048-bit keys may use a different selector name. Copy the exact host and value from your Mailgun DNS panel rather than assuming the selector. The p= value is a long base64 string; paste it complete, with no added spaces or line breaks.
Some DNS providers cap a single TXT string at 255 characters and Mailgun's 2048-bit key is longer than that. Good DNS hosts split the value into multiple quoted chunks automatically. If yours does not and rejects the record, that length limit is usually the cause. Mailgun publishes DKIM as a TXT record; if you are used to CNAME-based DKIM from other senders, see DKIM CNAME vs TXT for why both approaches are valid.
Optional MX and tracking CNAME records
Two more record types are optional depending on what you need.
MX records for inbound and full alignment
If you want Mailgun to receive mail for the subdomain, or you want the strongest deliverability signal, add the MX records on the sending subdomain:
mail.yourdomain.comMXmxa.mailgun.orgpriority10mail.yourdomain.comMXmxb.mailgun.orgpriority10
Only add these if the subdomain is dedicated to Mailgun. Never point your root domain's MX at Mailgun unless Mailgun is genuinely handling your inbound mail, or you will stop receiving normal email.
Tracking CNAME for opens and clicks
To track opens and clicks, Mailgun rewrites links through a tracking host. Publish the CNAME it shows you:
email.mail.yourdomain.comCNAMEmailgun.org
This record is purely for tracking. Skip it if you do not use open and click tracking; it has no effect on authentication.
Wait for propagation
DNS changes are not instant. Mailgun's dashboard shows each record as unverified until it can read the value from public DNS, and it re-checks on a schedule. Most records resolve within an hour, but full global propagation can take 24 to 48 hours, bounded by the TTL you set and by resolver caching.
Do not delete and re-add records because the dashboard still shows a warning after ten minutes. Give it time, then click Mailgun's verify button. If a record still fails after a day, the usual culprits are a doubled domain suffix in the host name (mail.yourdomain.com.yourdomain.com), a truncated DKIM key, or a stray SPF second record.
Add a DMARC record at the root
DMARC ties SPF and DKIM together and tells receivers what to do when a message fails both. Unlike the Mailgun records, DMARC lives at your root domain and covers your subdomains through it.
- Host / name:
_dmarc.yourdomain.com - Type:
TXT - Value:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
Start at p=none so you monitor without affecting delivery, and point rua at a mailbox you actually read. Because Mailgun sends from a subdomain of your organizational domain, DMARC's default relaxed alignment lets the subdomain align with the root, so a passing SPF or DKIM on mail.yourdomain.com satisfies DMARC for the organizational domain. The details are worth understanding, so read relaxed vs strict alignment and our full DMARC setup guide before tightening the policy.
Once you have watched reports for a couple of weeks and confirmed legitimate mail passes, move the policy toward p=quarantine and then p=reject.
Verify the full chain
After propagation, confirm every link authenticates before you scale up sending.
- In Mailgun, check that the domain shows all required records verified with green status.
- Run your sending subdomain through the scanner at the top of this page. It reads the live SPF, DKIM, and DMARC records and grades the result.
- Send a test message to an address you control and open the raw headers. Look for
spf=pass,dkim=pass, anddmarc=passin the Authentication-Results header.
If SPF passes but DKIM fails, the DKIM key is almost always truncated or on the wrong host. If DKIM passes but SPF fails, the SPF record is missing on the exact subdomain Mailgun sends as. Fix the host name, wait for the TTL, and re-check.
Frequently asked questions
Do the Mailgun records go on my root domain or a subdomain?
On the sending subdomain Mailgun assigns, such as mail.yourdomain.com. The SPF include:mailgun.org and the mx._domainkey DKIM TXT both belong there. Only the DMARC record goes at the root, on _dmarc.yourdomain.com.
What is the Mailgun DKIM selector?
Mailgun commonly uses mx, giving the host mx._domainkey.mail.yourdomain.com. Newer accounts or 2048-bit keys can use a different selector, so always copy the exact host and value from your Mailgun DNS panel instead of assuming mx.
Why does Mailgun still show my records as unverified?
Usually propagation. Records can take up to 24 to 48 hours to resolve globally, though most appear within an hour. If a record fails after a full day, check for a doubled domain suffix in the host name, a DKIM key split or truncated by a 255-character TXT limit, or a second v=spf1 record on the same name.
Do I need the MX and tracking CNAME records?
No. The MX records only matter if Mailgun receives inbound mail for the subdomain, and the tracking CNAME only matters if you use open and click tracking. SPF and DKIM alone authenticate your outbound mail; the rest are optional add-ons.