Fix guide

How to Fix DMARC Alignment for Mailgun

Mailgun DMARC alignment requires adding a custom sending domain with CNAME records for DKIM signing and a custom Return-Path. Without these, Mailgun sends from @mailgun.org, failing DMARC alignment with your From: domain.

Why alignment fails

Without a verified sending domain, Mailgun uses a Return-Path that doesn't match your From: domain. DMARC alignment needs aligned SPF and/or DKIM for your brand domain.

Exact DNS records (pattern)

Mailgun shows exact values per domain. Typical patterns:

email.yourdomain.com → CNAME → mailgun.org k1._domainkey.yourdomain.com → TXT → "k=rsa; p=[mailgun-public-key]" OR k1._domainkey.yourdomain.com → CNAME → k1.domainkey.yourdomain.com.mailgun.org

Step-by-step fix

Step 1 Mailgun → Sending → Domains → Add new domain
Step 2 Enter your domain name (use yourdomain.com not mg.yourdomain.com for best alignment)
Step 3 Copy all DNS records Mailgun provides — TXT for SPF, CNAME/TXT for DKIM, CNAME for tracking
Step 4 Add all records to your DNS provider
Step 5 Click Verify DNS settings in Mailgun — wait up to 48 hours
Step 6 Run DNS Preflight to confirm DKIM and SPF alignment

Verify alignment and DNS in your browser

Open DNS Preflight →
Related glossary: DMARC · DMARC alignment · DKIM · SPF record

FAQ

Should I use yourdomain.com or mg.yourdomain.com as my Mailgun domain?

Use your root domain (yourdomain.com) for best DMARC alignment. Using a subdomain like mg.yourdomain.com can cause alignment failures with strict DMARC policies.

Why does Mailgun fail DMARC even after adding DNS records?

Check that you added the domain-specific DKIM record, not just SPF. Also verify the Return-Path CNAME is added — this enables SPF alignment.

How many DNS records does Mailgun require?

Typically 3: one TXT for SPF (include:mailgun.org), one TXT or CNAME for DKIM, and one CNAME for the Return-Path (tracking subdomain).

What is the Mailgun DKIM selector?

Mailgun uses k1 as the default DKIM selector. Your DKIM record goes at k1._domainkey.yourdomain.com.

How long does Mailgun domain verification take?

DNS propagation takes up to 48 hours. Mailgun's dashboard shows a green checkmark when all records are verified.

← All DMARC fix guides

Run checks on domainpreflight.dev →