DKIM for Mailgun: Domain Verification and Key Setup
How to set up DKIM for Mailgun. Step-by-step guide covering domain verification, DNS record configuration, and DKIM key management for reliable email delivery.
Last updated: 2026-03-26
This guide is part of our Transactional and API series.
Mailgun is a popular transactional email service, but adding a domain and getting DKIM configured correctly is where most delivery problems start. If your Mailgun emails are landing in spam or bouncing, an incomplete DKIM setup is usually the cause. This guide walks through the full domain verification and DKIM key setup process so your emails reach the inbox.
Mailgun generates DKIM keys automatically when you add a sending domain. You'll need access to your DNS provider to add the records Mailgun gives you.
How Mailgun DKIM Works
When you add a custom sending domain to Mailgun, the platform generates a DKIM key pair behind the scenes. The private key stays on Mailgun's servers and is used to sign every outgoing email from that domain. Your job is to publish the matching public key as a DNS TXT record so receiving mail servers can verify those signatures.
Mailgun ties DKIM setup into its broader domain verification process. You won't just add a DKIM record - you'll also add an SPF record and, optionally, a CNAME for tracking. All three records need to be in place before Mailgun considers the domain fully verified. Until verification completes, Mailgun may throttle or block sending from that domain.
The key difference between Mailgun and managing DKIM yourself is that Mailgun controls the key pair. You don't generate the keys - Mailgun does. This simplifies setup but means you're relying on Mailgun for key rotation and management.
Adding Your Domain to Mailgun
Log in to the Mailgun dashboard
Go to your Mailgun control panel and navigate to Sending > Domains. This is where all your sending domains are managed.
Add a new domain
Click Add New Domain and enter your sending domain. Mailgun recommends using a subdomain like mg.yourdomain.com for transactional email rather than your root domain. This keeps transactional reputation separate from your marketing email.
Copy the DNS records
After adding the domain, Mailgun displays the DNS records you need to create. You'll see a DKIM TXT record, an SPF TXT record, and optionally a CNAME record for open and click tracking. Copy each record carefully - a single typo will cause verification to fail.
Add records to your DNS provider
Log in to your DNS provider (Cloudflare, GoDaddy, Namecheap, Route 53, etc.) and create the TXT records exactly as Mailgun specifies. Pay close attention to the hostname field - it must match what Mailgun provides, including the ._domainkey suffix for the DKIM record.
Verify the domain in Mailgun
Return to the Mailgun dashboard and click Verify DNS Settings. Mailgun checks for your records and reports which ones it found. If a record isn't detected yet, wait 15 - 30 minutes and try again. Full DNS propagation can take up to 48 hours, though most providers update within an hour.
DNS Records for Mailgun DKIM
Mailgun provides specific DNS records during domain setup. Here's what each record looks like and where it goes:
| Record Type | Purpose | Example Hostname |
|---|---|---|
| TXT (DKIM) | Publishes your DKIM public key | `smtp._domainkey.mg.yourdomain.com` |
| TXT (SPF) | Authorizes Mailgun to send on your behalf | `mg.yourdomain.com` |
| CNAME (Tracking) | Enables open and click tracking | `email.mg.yourdomain.com` |
Do not modify the DKIM record value Mailgun gives you. The public key, version tag, and key type must remain exactly as provided. Editing the value - even adding extra spaces - will break signature verification.
The DKIM TXT record value will look something like this:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNA...
Paste this entire value into the TXT record content field at your DNS provider. Some providers automatically wrap the hostname with your domain, so if Mailgun says the hostname is smtp._domainkey.mg.yourdomain.com, you may only need to enter smtp._domainkey.mg in your DNS panel.
Need DKIM keys for other services?
DKIM Creator generates key pairs you control - useful for services where you manage your own keys, or for backup verification.
Understanding Mailgun DKIM Selectors
A DKIM selector is the prefix that identifies which key to use when verifying a signature. Mailgun typically uses smtp as its default DKIM selector, making the full DNS hostname smtp._domainkey.yourdomain.com. Some Mailgun accounts may see provider-generated selectors that include additional identifiers.
The selector matters because it's embedded in the DKIM-Signature header of every email Mailgun sends. When a receiving server gets your email, it reads the selector from the header, looks up the corresponding DNS record, and uses the public key to verify the signature. If the selector in the email header doesn't match a DNS record, verification fails.
You can check which selector Mailgun is using by looking at the raw headers of a sent email. Find the DKIM-Signature header and look for the s= value - that's your selector.
Using Custom Sending Domains
Mailgun strongly recommends setting up a custom sending domain rather than using the shared Mailgun sandbox domain. Here's why this matters for DKIM and deliverability:
- Reputation isolation: Your sending reputation is tied to your domain, not shared with other Mailgun users
- DKIM alignment: DKIM signatures match your From address domain, which is required for DMARC to pass
- Brand trust: Recipients and their mail servers see your domain, not a generic Mailgun subdomain
- Deliverability: Major providers like Gmail and Yahoo require proper authentication from custom domains
When choosing a sending domain, the subdomain approach (e.g., mg.yourdomain.com or mail.yourdomain.com) is standard practice. It protects your root domain's reputation while still aligning with DMARC policies set on the parent domain.
Subdomain DMARC alignment
DMARC alignment in relaxed mode (the default for most policies) allows a subdomain like mg.yourdomain.com to align with a DMARC policy on yourdomain.com. This means your transactional emails through Mailgun will pass DMARC as long as DKIM is properly configured.
Troubleshooting Mailgun DKIM
Domain stuck in "Unverified" status
- Double-check that the DNS record hostnames match exactly what Mailgun shows. A common mistake is duplicating the domain portion (e.g.,
smtp._domainkey.mg.yourdomain.com.yourdomain.com). - Wait at least an hour before troubleshooting further - some DNS providers are slow to propagate.
- Use a DNS lookup tool to confirm the TXT record is visible from outside your network.
DKIM verification failing on received emails
- Check the email headers for the
DKIM-Signaturefield. Confirm thed=value matches your sending domain and thes=selector matches your DNS record hostname. - Ensure you haven't modified the record value Mailgun provided. Re-copy it from the Mailgun dashboard if needed.
SPF or DKIM passing but DMARC failing
- DMARC requires alignment between the From address domain and the domain in the DKIM signature. If you're sending from
yourdomain.combut Mailgun signs withmg.yourdomain.com, make sure your DMARC policy uses relaxed alignment (this is the default). - Check that your From address uses the domain you verified in Mailgun, not a different domain.
Mailgun showing partial verification
- Mailgun verifies DKIM and SPF records independently. If one passes and the other doesn't, check the failing record specifically. SPF records have a different hostname than DKIM records, so verify both.
Related Articles
References
- RFC 6376 — DomainKeys Identified Mail (DKIM) Signatures
- Mailgun official documentation — Domain verification and DKIM setup
Sending transactional email through Mailgun? Get your domain verified and DKIM configured for reliable inbox delivery.
Generate DKIM keys for any provider
Create DKIM key pairs instantly in your browser. Free, private, and no account required.
Generate DKIM Keys