Mailgun SPF, DKIM and DMARC setup: pass alignment on your own domain
Good news first: Mailgun is one of the easier providers to get DMARC-aligned, because its standard domain verification puts SPF and DKIM on your own domain rather than Mailgun's. The part worth two minutes of thought is which sending domain you verify — get that right and everything else is copying DNS records.
Step 1: use a subdomain as your sending domain
When you add a domain in Mailgun (Sending > Domains > Add new domain), it suggests a subdomain like mg.example.com rather than example.com itself. Take that suggestion. Three reasons:
- It keeps your root SPF record clean. Mailgun's
include:mailgun.orggoes on the subdomain's record, not your root's — which protects your 10-DNS-lookup budget for the providers that genuinely need to be there. - It separates reputation. Your transactional or bulk stream through Mailgun builds its own sending history without dragging your day-to-day mailbox provider's reputation with it.
- Alignment still works. DMARC's default relaxed alignment treats
mg.example.comandexample.comas the same organizational domain — so mail with a From address on your root domain still passes. More on this below.
Step 2: publish the DNS records Mailgun shows you
After adding the domain, Mailgun lists the exact records to create. The two that decide DMARC are:
mg.example.com TXT "v=spf1 include:mailgun.org ~all"
smtp._domainkey.mg.example.com TXT "k=rsa; p=MIIBIjANBgkq..."
- The first is SPF for the sending subdomain. The
~allending is fine — softfail vs hardfail matters much less than people think once DMARC is in place. - The second is your DKIM public key. The hostname's first label is the selector — often
smtp, or one you chose when adding the domain. Copy the hostname and value exactly as your dashboard shows them; they vary by account and region (EU-region domains get EU-specific values).
Mailgun also offers a tracking CNAME (email.mg.example.com) and MX records for receiving replies on the subdomain. Both are optional and neither affects DMARC — add them if you use click tracking or inbound routing, skip them if not.
Once DNS propagates, hit Verify DNS settings and the domain state goes to Active.
Step 3: understand why this aligns (when other ESPs don't)
Send an email through Mailgun from you@example.com and here's what a receiver sees:
| Check | Domain checked | Result | Aligned with example.com? |
|---|---|---|---|
| SPF | mg.example.com (the Return-Path) | pass | Yes — relaxed alignment, same organizational domain |
| DKIM | d=mg.example.com (the signature) | pass | Yes — same reason |
Both identifiers pass and align, which is exactly what DMARC wants — and it's the default outcome of Mailgun's setup, not a buried extra feature. Compare that with platforms whose defaults leave everything on the platform's own domain until you enable domain authentication — the situation covered in SendGrid & Mailchimp alignment.
One caveat: this relies on relaxed alignment, which is DMARC's default. If your DMARC record sets strict alignment (aspf=s or adkim=s), a subdomain sending domain stops aligning with a root-domain From address. Almost nobody needs strict alignment — if your record has those tags and you're not sure why, remove them.
Step 4: publish DMARC on your root domain
The DMARC record goes on your organizational domain, not the Mailgun subdomain:
_dmarc.example.com TXT "v=DMARC1; p=none; rua=mailto:reports@example.com"
Mail with a From address on example.com is governed by this record directly, and mg.example.com inherits it unless you publish a subdomain record — you don't need one. Start at p=none, watch the reports, and tighten when everything legitimate passes — the rollout order is in p=none vs quarantine vs reject.
Step 5: verify with a real message
Send a test through Mailgun to a Gmail address you control and open Show original. You want:
spf=passformg.example.comdkim=passwithheader.d=mg.example.comdmarc=pass
Then let your aggregate reports confirm it at scale over the following days. If nothing arrives within 48 hours, see not receiving DMARC reports.
Traps to avoid
- Adding
include:mailgun.orgto your root domain's SPF. If Mailgun sends frommg.example.com, the include belongs on that record. On the root it authorizes nothing that's ever checked, and burns DNS lookups. - Verifying the root domain to "keep it simple". It works — SPF and DKIM then live on
example.comand align exactly — but you give up the reputation separation and the clean root SPF record for no real gain. - Assuming the tracking CNAME is part of authentication. It only handles click/open tracking links. Skipping it never causes a DMARC failure.
On a different provider? The same walkthrough exists for Google Workspace, Microsoft 365, Zoho Mail, and Amazon SES.
Step 4 asks where to send reports — send them somewhere useful. Point rua at PlainDMARC and get a plain-English weekly verdict instead of zipped XML: whether Mailgun's mail passes aligned, what else is sending as your domain, and when you're ready to tighten the policy. There's an API too, if you'd rather script it.