Mailgun DMARC Setup: Configure DMARC for Mailgun Email
Step-by-step guide to setting up DMARC when using Mailgun. Configure SPF, DKIM, and DMARC alignment so your Mailgun emails pass authentication checks.
If you're sending email through Mailgun without a DMARC record, receiving servers have no way to verify that your messages are legitimately from your domain. Setting up DMARC with Mailgun requires three things: SPF, DKIM, and a DMARC DNS record. Here's how to get all three working together.
What You Need Before Starting
Before configuring DMARC, confirm you have:
- A custom sending domain in Mailgun — not the default sandbox domain
- DNS access for the domain you send from
- SPF and DKIM configured in Mailgun (covered below if not done yet)
DMARC builds on SPF and DKIM. If neither is configured, your DMARC record won't help — emails will still fail authentication.
Step 1: Set Up Your Custom Domain in Mailgun
If you're still using Mailgun's sandbox domain, switch to your own domain first.
- In the Mailgun dashboard, go to Sending → Domains
- Click Add New Domain
- Enter your sending domain (e.g.,
mail.yourdomain.comoryourdomain.com) - Choose your region (US or EU)
- Mailgun generates the DNS records you need
Mailgun recommends using a subdomain like mail.yourdomain.com for sending. This isolates your sending reputation from your root domain and gives you more flexibility.
Step 2: Configure SPF for Mailgun
Mailgun provides an SPF record to add to your DNS. The exact record depends on whether you're using a subdomain or root domain.
For a subdomain (e.g., mail.yourdomain.com):
Add a TXT record for mail.yourdomain.com:
v=spf1 include:mailgun.org -all
For your root domain:
If you already have an SPF record, add Mailgun's include to it:
v=spf1 include:_spf.google.com include:mailgun.org -all
Don't create a second SPF record — merge into your existing one.
Verify with: SPF Record Check — enter your sending domain and confirm Mailgun is included.
SPF has a 10 DNS lookup limit. Each include: typically adds one or more lookups. If you're already near the limit, check your current count before adding Mailgun.
Step 3: Configure DKIM for Mailgun
Mailgun signs emails with DKIM automatically, but you need to add their DKIM public key to your DNS so receivers can verify the signature.
- In Mailgun's domain settings, find the DKIM section
- Mailgun provides a TXT record (or CNAME, depending on your setup)
- Add the record to your DNS
The record typically looks like:
Name: smtp._domainkey.yourdomain.com (or the subdomain)
Value: A long TXT record starting with k=rsa; p=...
Some Mailgun configurations use CNAME records instead — follow what Mailgun's dashboard provides for your specific domain.
Verify with: DKIM Test — send a test email and check that DKIM passes with your domain.
Step 4: Create Your DMARC Record
Now that SPF and DKIM are configured, add a DMARC record. This is a TXT record at _dmarc.yourdomain.com.
Start with monitoring mode:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
| Tag | Value | Meaning |
|---|---|---|
| `v` | `DMARC1` | DMARC version (required) |
| `p` | `none` | Policy: monitor only, don't block anything |
| `rua` | `mailto:...` | Where to send aggregate reports |
Add this DNS record:
- Type: TXT
- Name:
_dmarc(your DNS provider may show this as_dmarc.yourdomain.com) - Value:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
Always start with p=none. This lets you collect reports and verify everything works before enforcing policy. Jumping straight to p=reject risks blocking your own legitimate email.
Step 5: Verify DMARC Alignment
DMARC doesn't just check that SPF or DKIM pass — it checks alignment: the authenticated domain must match the From header domain.
With Mailgun, alignment works when:
- DKIM alignment: Mailgun signs with
d=yourdomain.com(or your subdomain), matching your From address - SPF alignment: The envelope sender (Return-Path) domain matches your From domain
If you're sending from user@yourdomain.com and Mailgun signs DKIM as d=yourdomain.com, DMARC passes.
If you're using a subdomain:
Sending from user@yourdomain.com with DKIM signed as d=mail.yourdomain.com works with relaxed alignment (the default). The subdomain aligns with the root domain.
Sending from user@mail.yourdomain.com with DKIM signed as d=mail.yourdomain.com works with both relaxed and strict alignment.
Test the Full Chain
Send a test email to a Gmail or Outlook account and check the headers:
- Open the email
- View the original message / headers
- Look for the
Authentication-Resultsheader
You want to see:
dkim=pass header.d=yourdomain.com
spf=pass
dmarc=pass
If DMARC shows fail, check which part failed — SPF alignment, DKIM alignment, or both.
Step 6: Enforce Your DMARC Policy
After monitoring for 2-4 weeks and confirming all legitimate email passes, tighten the policy:
Quarantine (sends failures to spam):
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com
Reject (blocks failures entirely):
v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com
Move from none → quarantine → reject gradually. Check your DMARC reports at each stage.
Common Mailgun DMARC Issues
DMARC Fails Despite Mailgun DKIM Being Set Up
Cause: The From address domain doesn't match the DKIM signing domain.
Fix: Ensure your Mailgun sending domain matches the domain in your From header. If you configured mail.yourdomain.com in Mailgun but send as user@yourdomain.com, DKIM alignment relies on relaxed mode. Check that your DMARC record doesn't have adkim=s (strict).
SPF Passes but DMARC Still Fails
Cause: SPF alignment failure. Mailgun's envelope sender (Return-Path) doesn't match your From domain.
Fix: In Mailgun, configure your custom Return-Path / bounce domain. Go to your domain settings and set up the tracking/bounce CNAME records Mailgun provides.
Multiple Sending Services
If you also send email from Google Workspace, Microsoft 365, or other services alongside Mailgun:
- SPF: Include all services in one SPF record
- DKIM: Configure DKIM signing in each service
- DMARC: One DMARC record covers all senders — it checks alignment regardless of which service sent the email
v=spf1 include:_spf.google.com include:mailgun.org -all
Each service needs its own DKIM key, but they can all use different selectors on the same domain.
Mailgun Subaccount / Multiple Domains
If you send from multiple domains through Mailgun, each domain needs its own:
- SPF record (on that domain)
- DKIM record (on that domain)
- DMARC record (on that domain)
There's no way to share authentication across domains.
Mailgun-Specific DNS Records Checklist
For a domain yourdomain.com (or subdomain mail.yourdomain.com), you need:
SPF record
TXT record on your sending domain with include:mailgun.org
DKIM record
TXT (or CNAME) record as provided by Mailgun's dashboard
MX records (optional — only for receiving)
MX records pointing to Mailgun are only needed if you use Mailgun for inbound email or bounce handling. If your domain is send-only — which is common when using a subdomain like mail.yourdomain.com purely for outbound — you do not need MX records. A "no MX record found" result in this case is expected and not a problem.
CNAME for tracking
CNAME record for open/click tracking (e.g., email.yourdomain.com)
DMARC record
TXT record at _dmarc.yourdomain.com with your policy
Verify Everything
After setup, verify your full authentication chain:
- Check SPF — confirms Mailgun is in your SPF record
- Check DKIM — confirms DKIM signing works
- Check DMARC — confirms your DMARC record is published and valid
- Check Deliverability — runs all checks at once
Stop Worrying About Email Authentication
The Email Deliverability Suite monitors your SPF, DKIM, DMARC, MX records and blacklist status daily. Get alerts when something breaks — before your Mailgun emails start bouncing.
Monitor your Mailgun authentication
SPF, DKIM, DMARC, MX, and blacklist monitoring for unlimited domains. $39/month.