How to set up domain authentication in Mailgun for improved email deliverability

If you send emails for your business—newsletters, receipts, password resets, whatever—you’ve probably wondered why some go straight to spam. Good news: setting up domain authentication with Mailgun is one of the simplest, most effective ways to actually land in inboxes. This guide is for anyone who wants real results, not just to check a box.

A quick promise: I’ll show you exactly what to do, what to skip, and what actually matters. No fluff, no hype.

Why Domain Authentication Matters (Yes, You Really Need It)

Let’s get this out of the way: you can technically send email without authenticating your domain. But don’t. Here’s why:

  • Unauthenticated emails look suspicious. Mail providers like Gmail and Outlook are quick to flag them as spam or, worse, block them completely.
  • You control your reputation. Domain authentication (using DNS records) proves your emails aren’t coming from random servers pretending to be you.
  • You avoid “via mailgun.org” in the sender line. That’s a dead giveaway you’re not fully set up.

If you care about deliverability—and you should—domain authentication isn’t optional. It’s table stakes.

The Prerequisites

Before you dive in, make sure you have:

  • A custom domain you control. You need access to your DNS settings (GoDaddy, Cloudflare, Namecheap, whatever you use).
  • A Mailgun account. Even the free plan is fine for getting started.
  • Patience for DNS changes. Sometimes records update in minutes, other times it takes hours. Don’t panic if things don’t click instantly.

Step 1: Add Your Domain to Mailgun

  1. Log in to Mailgun.
  2. In the dashboard’s side menu, click Sending > Domains.
  3. Click Add New Domain.
  4. Enter your domain. Pro tips:
    • Use a subdomain, not your root domain. Example: mg.yourdomain.com or mail.yourdomain.com. Why? Keeps mailing reputation separate from your main site (and avoids headaches if you ever swap email providers).
    • Make sure the subdomain isn’t already being used elsewhere.
  5. Hit Add Domain.

Mailgun will now show you a list of DNS records you need to add.

Step 2: Understand the DNS Records Mailgun Gives You

You’ll see a bunch of records. Here’s what they mean, and what you actually need:

  • TXT records (SPF & DKIM): Prove Mailgun can send on your behalf and your emails haven’t been tampered with.
  • CNAME records (tracking): Needed if you want to use Mailgun’s click/open tracking. Ignore if you don’t care about tracking.
  • MX records: Only needed if you plan to receive mail at this subdomain (most people skip this).
  • DMARC (optional, but smart): Not always provided by Mailgun, but you should set one up for extra deliverability points.

Bottom line: Focus on the TXT records (SPF and DKIM). The rest are optional for most senders. Don’t get distracted by extras.

Step 3: Add the DNS Records to Your Domain

  1. Open your DNS provider’s dashboard. Where you bought your domain, or wherever your DNS is managed.
  2. Copy each DNS record from Mailgun.
    • For each record, you’ll need to specify:
      • Type: (TXT, CNAME, etc.)
      • Name/Host: Usually your subdomain (mg, mail, or whatever you picked)
      • Value: The long string Mailgun gives you (don’t edit it)
  3. Paste exactly as shown.
    • Don’t add extra spaces.
    • Some hosts auto-add your root domain; double-check how your provider handles subdomains.
    • If in doubt, check their help docs or ask support.
  4. Save changes.

Pro tip: DNS changes don’t go live instantly. Most hosts update within an hour, but some can take up to 24 hours. If you’re staring at “pending” for a while, be patient.

Step 4: Verify Your Domain in Mailgun

  1. Back in Mailgun, go to your domain’s page.
  2. Click Check DNS Records or Verify DNS Settings.
  3. If all records are correct, you’ll see green checkmarks. Nice.
  4. If you see errors:
    • Double-check you copied everything correctly.
    • Make sure you gave DNS enough time to update.
    • If it’s still not working after 24 hours, contact your DNS provider—sometimes their UI is weird or they cache old data.

Step 5: Test Sending Emails

Once your domain is verified:

  1. Send a test email (Mailgun has a “Send a test message” feature, or use your app).
  2. Check the recipient’s inbox and spam folder.
  3. If you see “via mailgun.org” in the sender, something’s wrong with authentication—double-check your DNS records.

Pro tip: Use a tool like mail-tester.com to see if your emails are set up right. It’ll flag authentication issues and give you a spam score. Handy.

Extra Credit: Set Up DMARC

You don’t have to, but it’s good practice. DMARC tells receiving mail servers what to do if an email fails SPF or DKIM.

  1. Add a new TXT record:

    • Name/Host: _dmarc (e.g., _dmarc.mg.yourdomain.com)
    • Value: A basic starting point:

    v=DMARC1; p=none; rua=mailto:your@email.com

    • This just monitors, doesn’t block anything. You can tighten it later if you want.
    • Save and wait for DNS to update.

What Actually Moves the Needle (And What Doesn’t)

  • SPF and DKIM are non-negotiable. If you skip these, you’re flying blind.
  • DMARC is worth adding, but don’t stress about strict enforcement at first.
  • Don’t bother with MX unless you’re receiving mail.
  • CNAME tracking is for stats nerds and marketers. If you just want your emails to land, you can skip it.
  • Authentication only solves part of deliverability. If your emails are spammy or people mark them as junk, no amount of DNS setup will help.

Troubleshooting: When Stuff Doesn’t Work

  • Records not verifying?
    • Wait a bit—DNS propagation is slow.
    • Double-check for typos.
    • Make sure you’re editing the right subdomain.
  • Emails still landing in spam?
    • Check your content—spammy language, too many links, or bad formatting will get you.
    • Run your email through a tester.
    • Make sure you’re not sending huge volumes right away from a new domain (“warming up” counts).
  • Still stuck? Mailgun support is actually pretty decent. Your DNS provider’s support can also help if you think the records aren’t sticking.

Keep It Simple and Iterate

Domain authentication isn’t rocket science, but it’s easy to overthink. Focus on the basics: SPF, DKIM, and (if you want) DMARC. Don’t get bogged down in obscure DNS settings or chase every shiny metric. Set it up, test, and tweak as you go. Most importantly, pay attention to real-world results: are your emails landing where they should? If so, you’re winning.

Now—go set it up, send yourself a test, and get on with your day.