Article Preview
Why do I need to verify my domain?
Mailgun requires domain verification for two primary reasons. First, it confirms that you are the owner of the domain, preventing unauthorized senders from using your domain in our platform. Second, the SPF and DKIM records authorize our SMTP servers to send on behalf of your domain. This serves to significantly improve your deliverability - our specialty!
DNS records can be a bit tricky, but if you know a few tips, you can greatly enhance your success with the process. Let’s take a look at some common issues seen when attempting to verify your domain.
Do you have any DNS guides or tutorials?
Yes, we do have in-depth, step-by-step guides for the following DNS providers below:
Aside from the guides listed above, this article outlines a general three-step DNS setup process.
I created my records, but Mailgun does not see them
You always want to double-check any changes you make to your DNS configuration via both a local and a public query. Local queries can be performed using built-in utilities like dig (Linux/Unix) and nslookup (Windows).
To verify via a dig command, the syntax is: dig -t <record type> <hostname>
dig -t TXT domain.tld |
To verify via nslookup, the syntax is: nslookup -q=<record type> <hostname>
nslookup -q=TXT domain.tld |
In some cases, there might be a local DNS server within your network that will take precedence over public queries. Even if you don’t have a local DNS server, we recommend performing a secondary public query for your domain. One great tool is What’s My DNS - https://www.whatsmydns.net/. What’s My DNS will query multiple servers around the globe to best gauge the propagation of your changes.
To use, just enter your hostname and select the record type from the options present in the dropdown.
- If the correct value is returned - congratulations! The record was successfully created.
- If you do not see the correct value (or see all red X’s) - something's not quite right yet. Make sure to double-check your configuration and correct your DNS setup as needed.
Note: Some DNS provider's panels will automatically append the root domain name following whatever's placed in the hostname value; for instance, if your domain is mail.example.com, you might only need "mail" in the hostname field, or you could be creating a record for mail.example.com.example.com by accident. To help ensure productive use of your time, reach out to your DNS provider to find out how their panel operates.
The DKIM record is verified, but the SPF is not verified
It takes two TXT records to verify your domain; SPF and DKIM. If everything looks good with your DKIM record, but not with your SPF, here are a few elements to check:
- There can only be 1 SPF record per hostname. If your hostname has more than 1 SPF record, the records will need to be merged into a single value.
dig -t TXT domain.tld |
In this case, the issue is occurring due to the separation of the values into two separate entries. The fix is simple - just combine them. You can place the Mailgun include directive (include:mailgun.org) anywhere after v=spf1 and before ~all. The new value would be:
v=spf1 ip4:1.2.3.4 include:smtp.domain.tld include:mailgun.org ~all
Note: Make sure that your SPF record doesn't exceed 10 lookups, or you'll run into issues.
- If the hostname has a CNAME in addition to any other record type (i.e. TXT, A, etc), the CNAME will take precedence.
dig domain.tld |
To resolve this and verify the TXT, the CNAME would need to be removed from the hostname. Alternatively, another sending subdomain would need to be used with the Mailgun account, such as (for this example) mg.domain.tld.
Do you support SPF macros/SPF flattening?
Yes, our system should be able to verify your SPF records if you use macros/flattening such as is commonly offered by Vailmail or Redsift?. However, you will need to be extra careful to ensure your SPF configuration is correctly configured. but mailgun.org doesn't need to be explicitly stated in the tree for the domain to verify, as long as they're including the IP or IP ranges the sending domain uses for sending messages
The records are resolving, but Mailgun still says that the domain is “Unverified”
Depending on the DNS hosting provider, records can take up to 24-48 hours to fully propagate. A manual DNS verification can be attempted if 24 hours have already passed and the records are confirmed correct via both local and public queries.
To perform a manual verification and update the DNS records cache, we'll show you how to do this below:
- First, log in to the Mailgun Control Panel (if you have not already done so).
- Then, within the left-hand navigation pane, click the Sending option to expand its list of suboptions.
- Next, click the Domain settings suboption, and on the resulting page, click the DNS records tab.
-
Ensure that the domain for which you wish to perform manual DNS verification is displayed within the Domain drop-down list towards the upper-right portion of the page.
- Click the Check status button.
Why do I see multiple DKIM keys or DKIM keys in an “Unverified” state?
When Automatic Sender Security is enabled, manually provisioned DKIM keys remain in the system and their records will still appear. Any active manual keys will be deactivated once the Automatic Sender Security CNAME records are verified. While Automatic Sender Security is enabled, manual keys cannot be activated or deactivated, but they can still be used as secondary keys by domains in your account or manually deleted if desired.
What is the DKIM authority and under what circumstances can I modify it?
DKIM is an excellent resource for an email service provider (ESP) to track a domain's reputation because signing messages via DKIM is considered authoritative. As an ESP, we take care of a lot of the DKIM heavy lifting on your behalf; however, there are some customization options you should know about.
At Mailgun, our standard recommendation is to have your sending domain be a subdomain off your main root domain. As such, our customers have the option of setting the DKIM authority to either be that subdomain or the root (with the caveat that both domains are set up within your Mailgun account.)
Let's say your main root domain name is catzrule.org (because cats indeed rule), but you've set your Mailgun sending domain name as mg.catzrule.org. By default, our system will want to set the DKIM authority for both domains to catzrule.org. You can overrule that using our API and have mg.catzrule.org have its own value instead. This value can be changed at any time, but be aware that it can have ramifications for your domain reputation.
Other (optional, but strongly recommended) DNS records
While the two TXT records (SPF and DKIM) are all that's required to send messages via Mailgun, you do also have the option to add MX and CNAME records, if you choose. The process for adding these optional records is exactly the same as adding the required TXT records.
MX records are really only needed if you're looking to receive incoming mail for the exact domain or domains you have verified in your Mailgun account; keep in mind - you don't want to point your domain's MX records to Mailgun if you already have incoming mail setup elsewhere. If you do, adding Mailgun MX records will break this configuration, and you won't receive your mail as you have previously.
Note: You only ever want to have one source specified for your MX records, otherwise servers get confused. Bad things happen when servers get confused.
A CNAME record is needed only if you're looking to enable our tracking features, keeping detailed records of Clicks, Opens, and/or Unsubscribes.
Need Support?
Our Support Team here at Sinch Mailgun is happy to help! Reach out to us in the Support page of your Mailgun Control Panel, and we'll be with you shortly!