How to Set Up DMARC for Mailgun: Configuration and Alignment Guide

Mailgun is a developer-focused email delivery platform built for sending transactional and bulk email at scale via API or SMTP. If you send email through Mailgun using your own domain, configuring DMARC is critical for protecting your domain from spoofing, maintaining sender reputation, and meeting the authentication standards that Google, Yahoo, and other inbox providers now require.

This guide walks through DMARC setup specifically for Mailgun users, covering the SPF, DKIM, and alignment details that determine whether your messages pass or fail DMARC checks.

How Mailgun Handles Email Authentication

Mailgun requires domain verification before you can send email from a custom domain. During this process, Mailgun provides DNS records for both SPF and DKIM that you publish in your domain's DNS.

Domain Verification and SPF

When you add a domain in Mailgun, the platform instructs you to add a TXT record for SPF. The standard SPF include mechanism for Mailgun is:

v=spf1 include:mailgun.org ~all

This authorizes Mailgun's sending infrastructure to send email on behalf of your domain. The include:mailgun.org directive tells receiving servers to look up Mailgun's published IP ranges when evaluating SPF for your domain. If you use additional sending services, you include them in the same SPF record. You can build a complete SPF record at spfcreator.com.

DKIM Signing

Mailgun generates a 1024-bit or 2048-bit DKIM key pair for your domain during verification. You publish the public key as a TXT record in your DNS, typically at a hostname like smtp._domainkey.yourdomain.com. Mailgun then signs every outgoing message with the corresponding private key.

This DKIM signature ties messages cryptographically to your domain, which is the foundation for DMARC DKIM alignment.

Mailgun's domain verification is required before you can send. Complete it first by going to Sending > Domains in your Mailgun dashboard. Both SPF and DKIM records must be verified before proceeding with DMARC setup.

Understanding SPF and DKIM Alignment with Mailgun

DMARC requires that at least one of SPF or DKIM "aligns" with the domain in the visible From header. Alignment means the authenticated domain matches the From domain. For a detailed comparison of how these protocols work together, see SPF vs DKIM vs DMARC.

DKIM Alignment

When Mailgun signs your messages with DKIM using your verified domain (e.g., yourdomain.com), and your From address is hello@yourdomain.com, DKIM alignment passes because the signing domain matches the From domain.

DKIM alignment is the most reliable method for Mailgun users. DKIM signatures survive forwarding, meaning messages that get forwarded from one inbox to another will still pass DMARC through DKIM alignment even after the envelope sender changes.

SPF Alignment and the Envelope Sender

SPF alignment depends on the envelope sender (Return-Path), not the From address. By default, Mailgun sets the Return-Path to a Mailgun-controlled address like bounce+uniqueid@yourdomain.com. Because this uses your root domain, SPF alignment passes under relaxed mode (the default) since the envelope sender domain matches the From domain.

However, if you are sending from a subdomain or if Mailgun routes bounces through a different domain, SPF alignment could fail. Under strict alignment (aspf=s), the envelope sender must exactly match the From domain. For most Mailgun users, relaxed alignment is the right choice and works without additional configuration.

Rely on DKIM as your primary alignment mechanism with Mailgun. It is more resilient than SPF because it is not affected by forwarding or changes to the envelope sender address.

Setting Up Your DMARC Record

With Mailgun's domain verification complete and both SPF and DKIM confirmed, you are ready to publish your DMARC record.

Confirm Mailgun domain verification is complete

In your Mailgun dashboard, go to Sending > Domains and select your domain. Verify that both the SPF TXT record and the DKIM TXT record show as verified. If either is pending, fix the DNS records before proceeding.

Generate your DMARC record

Start with a monitoring-only policy: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100;. This collects aggregate reports without affecting delivery, so you can confirm all your sending sources pass before enforcing anything.

Add the DMARC record to your DNS

Log in to your DNS provider and create a new TXT record. Set the name to _dmarc (the full hostname will be _dmarc.yourdomain.com) and set the value to your DMARC record string.

Save and wait for propagation

Save the record. DNS propagation typically takes a few minutes to a couple of hours. You can check propagation by querying your domain periodically.

Verify the record

Check your record at dmarcrecordchecker.com. Confirm it is valid, displays the correct policy, and includes your reporting address.

Create your DMARC record

Use our free DMARC generator to build a valid record for your domain.

Generate DMARC Record

Recommended DMARC Record for Mailgun Users

For most Mailgun users, this starting record works well:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; adkim=r; aspf=r; pct=100;

The adkim=r and aspf=r tags explicitly set relaxed alignment for both DKIM and SPF. While relaxed is the default, including them makes your configuration clear and avoids ambiguity.

After monitoring with p=none for at least two weeks and confirming all legitimate sources pass, progressively move toward enforcement:

Soft enforcement: v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=25;

Full enforcement: v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; pct=100;

For more details on the progression from monitoring to enforcement, see our guide on DMARC policy levels.

Troubleshooting Mailgun DMARC Alignment Failures

DKIM Alignment Failing

If your DMARC reports show DKIM failures for messages sent through Mailgun, check:

Domain verification is complete. In Mailgun's dashboard under Sending > Domains, confirm the DKIM record status is verified. If it shows as unverified, the TXT record may be missing or have a typo.
The DKIM TXT record is still in your DNS. DNS provider migrations, zone file resets, or accidental deletions can remove the record. Verify it is still published at the correct hostname (e.g., smtp._domainkey.yourdomain.com). You can check this at dkimcreator.com.
Your From address matches the verified domain. If you verified yourdomain.com but send from anotherdomain.com, DKIM alignment will fail because the signing domain does not match the From domain.

SPF Alignment Failing

SPF alignment failures with Mailgun are usually caused by:

Missing or incorrect SPF record. Confirm your domain's TXT record includes include:mailgun.org. If the include is missing, SPF will fail entirely. Build a correct record at spfcreator.com.
Strict alignment mode in your DMARC record. If you set aspf=s, any mismatch between the envelope sender and the From domain will cause failure. Switch to aspf=r (relaxed) unless you have a specific reason for strict mode.
Subdomain sending mismatches. If you verified mg.yourdomain.com in Mailgun but your From address uses yourdomain.com, SPF alignment may fail under strict mode. Make sure your verified Mailgun domain matches or shares the root domain with your From address.

Multiple Sending Services

If you use Mailgun alongside other email services (your corporate email provider, a helpdesk tool, a marketing platform), each service needs its own authentication. Your SPF record must include all of them, and each should have DKIM configured for your domain. Review your DMARC aggregate reports to identify which services are failing and fix their authentication before tightening your DMARC policy.

Do not move to p=reject until every legitimate sending source passes DMARC. Developers integrating multiple services via Mailgun's API alongside other providers should verify authentication for each one individually. One misconfigured service can cause critical transactional emails to get blocked.

Mailgun-Specific Best Practices

Always verify your sending domain. Never send through Mailgun using the shared sandbox domain in production. Unverified sending means no DKIM alignment with your From domain and guaranteed DMARC failure. Developers integrating Mailgun via API or SMTP should review our DMARC for developers guide for implementation patterns.

Use dedicated IPs for high-volume sending. Mailgun offers dedicated IP addresses for accounts with sufficient volume. A dedicated IP gives you full control over your sender reputation and makes it easier to diagnose SPF and deliverability issues, since you are not sharing an IP with other senders.

Set up a custom tracking domain. Mailgun uses its own domain for open and click tracking by default. Configuring a custom tracking domain (e.g., track.yourdomain.com) replaces Mailgun's tracking URLs with your own, improving trust signals and reducing the chance of spam filter flags on third-party domains.

Monitor your sender reputation. Mailgun provides logs, analytics, and deliverability metrics in its dashboard. A sudden increase in bounces or complaints can indicate authentication problems that affect your DMARC results. Use these tools alongside your DMARC aggregate reports for a complete picture.

Complete your authentication stack

DMARC works alongside SPF and DKIM. Build a comprehensive SPF record at spfcreator.com that includes Mailgun and all your other senders. Verify your DKIM configuration at dkimcreator.com for any services that need it.

Monitor Your DMARC Record

You've created your DMARC record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.

Never miss a DMARC issue

Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.

Start Monitoring