We're experiencing difficulty. Our engineers are on it. Please check status.mailgun.com for real-time updates.

Troubleshooting - DNS records (to verify a domain)

Why do I need to verify my domain?

Mailgun requires Domain verification for two main reasons. First, it verifies that you are the owner of the domain, preventing unauthorized senders from utilizing your domain in our platform. Second, the SPF and DKIM records authorize our SMTP servers to send on behalf of your domain. This improves your deliverability with your recipients.

DNS records can be a bit tricky but with a few best practices, proper DNS query tools, and a little patience, working with DNS can be a breeze. 

I created my records, but Mailgun does not see them.

It is good practice to always double check your DNS record changes via a local and public query. Local queries can be performed using built-in utilities like dig (Linux/Unix) and nslookup (Windows)

 Verify via Dig - The syntax for dig is: dig -t <record type> <hostname>


dig -t TXT domain.tld 

; <<>> DiG 9.8.3-P1 <<>> -t TXT domain.tld
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64695

;domain.tld. IN TXT

domain.tld. 600 IN TXT "v=spf1 include:mailgun.org ~all"

 Verify via Nslookup - The syntax for nslookup is: nslookup -q=<record type> <hostname>


nslookup -q=TXT domain.tld


Non-authoritative answer:
domain.tld text = "v=spf1 include:mailgun.org ~all"

In some cases, there may be a local DNS server within your network that will take precedence over public queries. Even if you don’t have a local DNS server, we recommend performing a secondary public query for your domain. One great tool is What’s My DNS. What’s My DNS will query multiple servers around the globe to best gauge the propagation of your changes.

 Enter your hostname and select the record type.

  • If the correct value is returned, congratulations the record was successfully created.
  • If you are not seeing the correct value or all red X’s, then there’s something wrong, review and correct the DNS records.


The DKIM record is verified, but SPF is not

With situations like these, there are a couple of things to verify.

  • There can only be 1 SPF record per hostname. If your hostname has more than 1 SPF record, the records will need to be merged into a single value.
    • Example:
dig -t TXT domain.tld 
"v=spf1 include:mailgun.org ~all"
"v=spf1 ip4: include:smtp.domain.tld ~all"

The new value would be: v=spf1 ip4: include:smtp.domain.tld include:mailgun.org ~all

  • With hostnames that have a CNAME and any other record type (i.e. TXT, A, etc), the CNAME will take precedence.
    • Example:
dig domain.tld
domain.tld.   300 IN CNAME mailgun.org
domain.tld.   300 IN TXT "v=spf1 include:mailgun.org ~all"
    • To resolve this, the CNAME would need to be removed from the hostname or another sending subdomain would need to be used with the Mailgun account

The records are resolving, but Mailgun still says that the domain is “Unverified”

Depending on the DNS hosting provider, the records can take up to 24-48 hours to fully propagate. A manual verification can be attempted if 24 hours have already passed, the records are confirmed correct via local and public queries.

To perform a manual verification log into the Mailgun Control panel -> Domains -> Select your domain -> Under “Domain Verification & DNS” select “Check DNS Records Now”


If you are still experiencing any issues after the domain's DNS records are publicly resolving, reach out to your friendly Mailgun support team and we'll help investigate the issue further. 

Getting Started Sending Mail Receiving Mail Deliverability & Reputation Email Tracking Troubleshooting
Powered by Zendesk