Setup Guide

How to Set Up SPF, DKIM, and DMARC for Mailgun

Mailgun is a developer-focused email API platform owned by Sinch, used for transactional and bulk email. It's commonly integrated into web applications for automated emails. Mailgun provides excellent authentication tooling and supports full domain verification.

SPF Configuration

Mailgun uses the mailgun.org include for SPF.

DNS Record:

Type:  TXT
Host:  @
Value: v=spf1 include:mailgun.org ~all

Combined with other services:

v=spf1 include:_spf.google.com include:mailgun.org ~all

Verify your total lookup count with the SenderClarity SPF Checker.

DKIM Configuration

Mailgun generates DKIM records as part of their domain verification process.

  1. In the Mailgun dashboard, go to Sending → Domains.
  2. Click Add New Domain.
  3. Mailgun recommends using a subdomain (e.g., mail.yourdomain.com) to isolate sending reputation.
  4. Mailgun will provide DNS records including a DKIM TXT record:
Type:  TXT
Host:  selector._domainkey  (e.g., k1._domainkey)
Value: (provided by Mailgun — unique to your domain)
  1. Add the TXT record to your DNS.
  2. Return to Mailgun and click Verify DNS Records.

Mailgun also provides an MX record and a CNAME for tracking — add those as well for full functionality.

DMARC Configuration

Start with monitoring mode:

Type:  TXT
Host:  _dmarc
Value: v=DMARC1; p=none; rua=mailto:your-address@reports.senderclarity.com; fo=1

Progress to enforcement:

  1. p=quarantine; pct=25
  2. p=quarantine; pct=100
  3. p=reject

Verification

  • Check your SPF record →
  • Use Mailgun's Send a Sample Message feature
  • Check headers for spf=pass, dkim=pass, dmarc=pass
  • Monitor DMARC reports in SenderClarity

Common Issues

Subdomain vs. root domain: Mailgun recommends sending from a subdomain (e.g., mail.yourdomain.com). If you do this, the SPF and DKIM records go on the subdomain, not the root domain. Your root domain's DMARC policy still applies if you use relaxed alignment (the default).

SPF on subdomain: If you send from mail.yourdomain.com, your SPF record should be:

Type:  TXT
Host:  mail
Value: v=spf1 include:mailgun.org ~all

DKIM key length: Mailgun defaults to 1024-bit DKIM keys. You can request 2048-bit keys through their support or API for stronger security. Some DNS providers may have issues with the longer key length.

SPF Lookup Impact

Include Estimated Lookups
mailgun.org 1–2