We're experiencing difficulty. Our engineers are on it. Please check status.mailgun.com for real-time updates.

How Do I Verify My Domain? and Other DNS Questions

Why Do I Need to Verify My Domain?

Mailgun requires domain verification for two primary reasons. First, it confirms that you are the owner of the domain, preventing unauthorized senders from using your domain in our platform. Second, the SPF and DKIM records authorize our SMTP servers to send on behalf of your domain. This serves to significantly improve your deliverability - our specialty!

DNS records can be a bit tricky, but if you know a few tips, you can greatly enhance your success with the process. Let’s take a look at some common issues seen when attempting to verify your domain.

I Created My Records, but Mailgun Does Not See Them.

You always want to double-check any changes you make to your DNS configuration via both a local and a public query. Local queries can be performed using built-in utilities like dig (Linux/Unix) and nslookup (Windows).

To verify via a dig command, the syntax is: dig -t <record type> <hostname>

dig -t TXT domain.tld 

; <<>> DiG 9.8.3-P1 <<>> -t TXT domain.tld
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64695

;; QUESTION SECTION:
;domain.tld. IN TXT

;; ANSWER SECTION:
domain.tld. 600 IN TXT "v=spf1 include:mailgun.org ~all"

To verify via nslookup, the syntax is: nslookup -q=<record type> <hostname>

nslookup -q=TXT domain.tld

Server: 1.1.1.1
Address:      1.1.1.1#53

Non-authoritative answer:
domain.tld text = "v=spf1 include:mailgun.org ~all"

In some cases, there might be a local DNS server within your network that will take precedence over public queries. Even if you don’t have a local DNS server, we recommend performing a secondary public query for your domain. One great tool is What’s My DNS - https://www.whatsmydns.net/. What’s My DNS will query multiple servers around the globe to best gauge the propagation of your changes. 

To use, just enter your hostname and select the record type from the options present in the dropdown.

  • If the correct value is returned - congratulations! The record was successfully created.
  • If you do not see the correct value (or see all red X’s) - something's not quite right yet. Make sure to double-check your configuration and correct your DNS setup as needed.

Note: Some DNS provider's panels will automatically append the root domain name following whatever's placed in the hostname value; for instance, if your domain is mail.example.com, you might only need "mail" in the hostname field, or you could be creating a record for mail.example.com.example.com by accident. To help ensure productive use of your time, reach out to your DNS provider to find out how their panel operates.

The DKIM Record Is Verified, but the SPF Is Not

It takes two TXT records to verify your domain; SPF and DKIM. If everything looks good with your DKIM record, but not with your SPF, here are a few elements to check:

  • There can only be 1 SPF record per hostname. If your hostname has more than 1 SPF record, the records will need to be merged into a single value.
dig -t TXT domain.tld 
"v=spf1 include:mailgun.org ~all"
"v=spf1 ip4:1.2.3.4 include:smtp.domain.tld ~all"

In this case, the issue is occurring due to the separation of the values into two separate entries. The fix is simple - just combine them. You can place the Mailgun include directive (include:mailgun.org) anywhere after v=spf1 and before ~all. The new value would be:

v=spf1 ip4:1.2.3.4 include:smtp.domain.tld include:mailgun.org ~all

Note: Make sure that your SPF record doesn't exceed 10 lookups, or you'll run into issues.

  • If the hostname has a CNAME in addition to any other record type (i.e. TXT, A, etc), the CNAME will take precedence.
dig domain.tld
domain.tld.   300 IN CNAME mailgun.org
domain.tld.   300 IN TXT "v=spf1 include:mailgun.org ~all"

To resolve this and verify the TXT, the CNAME would need to be removed from the hostname. Alternatively, another sending subdomain would need to be used with the Mailgun account, such as (for this example) mg.domain.tld.

The Records Are Resolving, but Mailgun Still Says That the Domain Is “Unverified”

Depending on the DNS hosting provider, records can take up to 24-48 hours to fully propagate. A manual verification can be attempted if 24 hours have already passed and the records are confirmed correct via both local and public queries.

To perform a manual verification and update the DNS records cache, log into your Mailgun control panel.  Inside the Mailgun Control Panel (options displayed down the left-hand side on a dark column), use the following instructions:

  • Click Messages. 
  • Select your specific domain.
  • Click Settings
  • Select DNS Records
  • Click the green Check DNS Records Now button.

Other DNS Records - Optional

While the two TXT records (SPF and DKIM) are all that's required to send messages via Mailgun, you do also have the option to add MX and CNAME records, if you choose. The process for adding these optional records is exactly the same as adding the required TXT records.

MX records are really only needed if you're looking to receive incoming mail for the exact domain or domains you have verified in your Mailgun account; keep in mind - you don't want to point your domain's MX records to Mailgun if you already have incoming mail setup elsewhere. If you do, adding Mailgun MX records will break this configuration, and you won't receive your mail as you have previously. 

Note: You only ever want to have one source specified for your MX records, otherwise servers get confused. Bad things happen when servers get confused.

A CNAME record is needed only if you're looking to enable our tracking features, keeping detailed records of Clicks, Opens, and/or Unsubscribes

 

If you are still experiencing any issues after the domain's DNS records are publicly resolving, just reach out to our Support team via the Support option in your Mailgun control panel!

Powered by Zendesk