Deliverability is one of the most critical challenges any modern business faces when sending email at scale. Whether you’re sending transactional emails like password resets or critical alerts, or delivering newsletters and marketing messages, every email you send must be authenticated correctly — or it may be treated as spam or rejected entirely.
At AutoSPF, we’ve helped countless teams harden their email infrastructure using proper authentication standards. In this guide, we’re going to walk you step-by-step through configuring Mailgun, one of the most popular email delivery services, with SPF and DKIM records. Along the way we’ll explain why each of these technologies matters, how they work together, and best practices for getting the most out of your email authentication setup.
Why Mailgun? Why SPF and DKIM Matter
Mailgun is a powerful API-based email delivery provider trusted by thousands of developers and businesses worldwide. It’s particularly valuable if you’re building applications that need robust, programmatic email sending — from welcome messages to eCommerce receipts.
However, even the best email delivery APIs won’t ensure that your messages reach inboxes unless you’ve authenticated your sending domain. That’s where SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) come in.
What is SPF?
SPF is an email authentication protocol that lets domain owners specify which mail servers are authorized to send mail on behalf of their domain. This is done by publishing a DNS TXT record that lists the valid sending IP addresses or services.
When a receiving mail server gets an email from your domain, it checks the DNS for your SPF record. If the server that sent the email isn’t listed, the email fails SPF and could be marked as spam or rejected entirely.
Without SPF, it’s easy for spammers or fraudsters to impersonate your domain — a major threat to your brand and your recipients’ security.
What is DKIM?
DKIM works differently but toward the same goal of authentication. Instead of listing approved servers, DKIM uses public-key cryptography. The sending mail server uses a private key to add a digital signature to each outbound message, and the receiving server uses a corresponding public key — published as a DNS record — to verify the signature.
If anything in the email has been tampered with since it was signed, the verification will fail — protecting your emails from certain types of spoofing and ensuring the message integrity.
Together, SPF and DKIM are the foundation for DMARC (Domain-based Message Authentication, Reporting & Conformance) — which we’ll touch on briefly at the end. Proper SPF and DKIM setup is also a requirement for DMARC to work effectively.
Before You Begin
Before jumping into the DNS configuration, there are a few things you should understand:
📌 You’ll need access to your domain’s DNS provider (where your DNS records are managed — e.g., Cloudflare, GoDaddy, Google Domains, etc.).
📌 Using a subdomain for sending (e.g., mg.yourdomain.com instead of yourdomain.com) is strongly recommended. That way, the SPF/DKIM/MX records Mailgun provides won’t intersect with your root domain’s email infrastructure.
📌 Mailgun generates records for you — you don’t need to build them by hand, but you do need to copy them into your DNS zone.
📌 If you already have an existing SPF record and Mailgun shows you a new SPF string to add, you do not create a second SPF TXT record. Instead, you incorporate Mailgun’s information into your existing one.
Step-by-Step SPF & DKIM Setup for Mailgun
1. Log in to Your Mailgun Account
Head over to the Mailgun control panel and log in using your credentials. Once you’ve logged in, you should see a dashboard listing your domains and sending activity.
2. Add Your Sending Domain or Subdomain
From the sidebar navigation:
👉 Click the “Sending” tab
👉 Choose “Domains”
👉 Click “Add New Domain”
Here, you’ll enter the domain or subdomain you want to use for sending. Many teams opt for a subdomain like mail.yourdomain.com or mg.yourdomain.com to avoid conflicts with standard email routing.
Why a subdomain? Because Mailgun will give you MX, SPF, DKIM, and CNAME records that must not conflict with your root domain’s mail service — using a dedicated subdomain keeps things clean and predictable.
3. Review the DNS Records Provided by Mailgun
Once the domain is saved, Mailgun will display several DNS records you need to add. These typically include:
✔ An SPF value (often something like:
v=spf1 include:mailgun.org ~all)
✔ One or more DKIM records (TXT or CNAME format)
✔ MX records (optional depending on your routing)
✔ A tracking CNAME record (for click tracking functionality)
Every DNS host has slightly different UI, but the data you copy is the same.
4. Log in to Your DNS Provider
Now go to the service where your DNS is managed.
If you use Cloudflare, GoDaddy, Google Domains, Namecheap, or others, you’ll find a section called something like “DNS Management” or “DNS Zone Editor”.
In Cloudflare, for example, you can find your DNS records under DNS in the sidebar.
5. Add the SPF Record
If you don’t have an existing SPF record, create a new TXT record with the SPF value Mailgun provided. It typically looks like:
v=spf1 include:mailgun.org ~all
This tells receiving mail servers that any IP in Mailgun’s sending range is authorized to send mail for your domain.
If you already have an SPF record, you must not create another TXT record. Instead, add Mailgun’s include to your existing one. For example:
v=spf1 include:existing-service.com include:mailgun.org ~all
That way you still have only one SPF TXT record.
⚠ Important: DNS needs time to propagate, typically up to 24 hours, but often much sooner once cached globally.
6. Add the DKIM Records
Mailgun will provide DKIM information that may be a TXT or CNAME record. Many DNS panels allow you to paste long key strings directly; others may require special formatting.
A DKIM record usually includes:
- A selector (e.g., default._domainkey)
- The public key which the receiving mail server will use to verify signatures
These records are essential — without them, Mailgun’s DKIM signature can’t be validated when the email reaches inboxes.
7. Add Any MX and CNAME Records
If Mailgun instructed you to add MX records for handling inbound mail or CNAMES for tracking, make sure to add those exactly as provided.
For example, a tracking CNAME ensures click and open tracking works properly if you’re using Mailgun’s analytics.
Mailgun’s web UI will tell you exactly what fields to set. These entries are crucial for verification.
8. Turn off Proxy/Cloudflare Orange Cloud (if applicable)
If your DNS provider supports proxying (e.g., the orange cloud in Cloudflare), be sure to turn that off for your Mailgun records. Proxied DNS entries can break SPF/DKIM verification because the receiving mail servers can’t see the actual DNS values.
9. Verify Within Mailgun
After you’ve added all the records in your DNS provider:
👉 Return to the Mailgun dashboard
👉 Click “Verify DNS Settings”
Mailgun will look up the DNS entries and confirm whether SPF, DKIM, and other records are correct. When everything is properly configured, you should see green checkmarks beside each item.
If something doesn’t validate immediately, don’t panic — DNS propagation can take some time. Wait, then verify again.
Troubleshooting and Best Practices
DNS Propagation Takes Time
Even if you did everything correctly, DNS changes don’t take effect everywhere instantly. Most DNS providers propagate within minutes to hours, but some may take up to 24 hours.
Only One SPF TXT Record
Remember, multiple SPF records for the same domain will cause SPF to fail completely. Always merge includes into the existing record.
Key Length Choices for DKIM
Mailgun allows two DKIM key lengths: 1024-bit or 2048-bit. A 2048-bit key is more secure but longer and occasionally harder to paste into some DNS panels because of size limits.
Once DNS is Verified — What Next?
DMARC
SPF and DKIM are prerequisites for setting up a DMARC policy. DMARC builds on these two protocols and lets you specify how receivers should handle mail that fails authentication — whether to quarantine it, reject it, or none at all.
A DMARC record also lets you receive reports so you can monitor authentication performance and troubleshoot domains that are failing.
Monitor Deliverability
Tools like DMARC reporting services can help you understand whether your emails are authenticating correctly and whether recipients are accepting your messages.
