SPF for Mailgun: Email Authentication Setup Guide
Learn how to set up SPF for Mailgun. Covers domain verification, the correct SPF include, dedicated vs shared IPs, common mistakes, and verification steps.
Last updated: 2026-05-02
Mailgun is a popular transactional email service used by developers and businesses to send application-generated emails — password resets, order confirmations, notifications, and similar messages. If you're sending email through Mailgun, setting up SPF properly ensures those emails authenticate correctly and reach your recipients' inboxes.
For a comprehensive overview of SPF, see our complete SPF guide. This guide covers everything from Mailgun's domain verification process to advanced configuration with dedicated IPs.
How Mailgun Sends Your Emails
When your application sends email through Mailgun's API or SMTP relay, the message is delivered from Mailgun's servers. Receiving email servers see a Mailgun IP address as the sender, not your own server. SPF bridges this gap — it tells receiving servers that Mailgun is authorized to send email on behalf of your domain.
Without SPF, receiving servers may deliver your emails to spam or reject them entirely.
The Mailgun SPF Include
The correct SPF include for Mailgun is (Mailgun documentation):
include:mailgun.org
This authorizes Mailgun's shared sending infrastructure. If you're using a dedicated IP (more on that below), you have the option to use a direct ip4: mechanism instead.
It's mailgun.org, not mailgun.com
A common mistake is using include:mailgun.com in your SPF record. The correct domain for SPF authorization is mailgun.org. Using the wrong domain will fail to authorize Mailgun's servers.
Mailgun's Domain Verification Process
Before you can send email through Mailgun from your domain, you need to verify that you own it. Mailgun requires several DNS records as part of this process, and SPF is one of them.
Add your domain in Mailgun
Log into the Mailgun dashboard, go to Sending > Domains, and click "Add New Domain." Enter the domain (or subdomain) you want to send from. Mailgun recommends using a subdomain like mail.yourdomain.com or mg.yourdomain.com for sending, which keeps your root domain's reputation separate.
Review the required DNS records
Mailgun provides a set of DNS records you need to add. These typically include a TXT record for SPF (containing include:mailgun.org), two TXT records for DKIM, and a CNAME record for tracking. Copy each record carefully.
Add the SPF record to your DNS
Log into your DNS provider and add or update your SPF record. If you're setting up a subdomain (like mg.yourdomain.com) that doesn't have an existing SPF record, create a new TXT record: v=spf1 include:mailgun.org ~all. If you're adding Mailgun to your root domain alongside other services, add the include to your existing record: v=spf1 include:_spf.google.com include:mailgun.org ~all.
Add the DKIM records
Add the two TXT records Mailgun provides for DKIM. These look something like smtp._domainkey.mg.yourdomain.com with a long public key value. DKIM adds a cryptographic signature to your emails. For testing and troubleshooting DKIM, use DKIM Test.
Add the tracking CNAME (optional)
If you want Mailgun to track opens and clicks, add the CNAME record they provide. This is optional but useful for campaign analytics.
Verify in Mailgun
Return to the Mailgun dashboard and click "Verify DNS Settings." Mailgun checks each record and shows green checkmarks for those it can find. If any record fails verification, double-check the values and wait for DNS propagation (up to 48 hours, though usually much faster).
Dedicated vs Shared IPs
Mailgun offers two sending options, and your choice affects how you might configure SPF.
Shared IPs (default)
Most Mailgun accounts send from a shared pool of IP addresses. These IPs are used by many Mailgun customers simultaneously, and their reputation is managed collectively.
With shared IPs, use the standard include:
v=spf1 include:mailgun.org ~all
The include:mailgun.org covers all of Mailgun's shared IP pools. As Mailgun adds or rotates IPs, the include automatically stays current.
Dedicated IPs
Higher-tier Mailgun plans offer dedicated IP addresses that only your account uses, giving you full control over your sending reputation.
With a dedicated IP, you have two options for SPF:
Option 1: Keep using the include (simpler)
v=spf1 include:mailgun.org ~all
This still works and requires no maintenance if Mailgun ever changes your dedicated IP.
Option 2: Use the IP directly (saves a DNS lookup)
v=spf1 ip4:YOUR.DEDICATED.IP ~all
Using ip4: directly doesn't count toward the 10 DNS lookup limit, which is useful if you're running low on lookups from other services. Your dedicated IP is visible in the Mailgun dashboard under Sending > IP Addresses.
Dedicated IP users: stay informed
If you use the ip4: approach and Mailgun ever changes or adds to your dedicated IPs, you'll need to update your SPF record manually. The include:mailgun.org approach handles this automatically.
Common Mailgun SPF Mistakes
Using mailgun.com instead of mailgun.org
This is the single most common mistake. The SPF include must be include:mailgun.org. The domain mailgun.com is Mailgun's website — it doesn't contain the SPF authorization records for their mail servers.
Creating an SPF record on the wrong domain
If you told Mailgun you're sending from mg.yourdomain.com, your SPF record needs to be on mg.yourdomain.com, not yourdomain.com. SPF records are checked against the domain in the Return-Path header, which matches the domain you configured in Mailgun.
Having multiple SPF records
Your domain (or subdomain) can only have one TXT record starting with v=spf1. If you accidentally create two, both are invalid. Combine all your includes into a single record.
Wrong:
v=spf1 include:_spf.google.com ~all
v=spf1 include:mailgun.org ~all
Correct:
v=spf1 include:_spf.google.com include:mailgun.org ~all
Not completing Mailgun's domain verification
Adding the SPF record to your DNS is necessary, but you also need to verify the domain in Mailgun's dashboard. Until verification is complete, Mailgun may not send emails from your domain.
Forgetting the DKIM records
SPF alone isn't enough for reliable delivery. Mailgun provides DKIM records during domain setup — skipping them means your emails are missing a critical authentication layer. Use DKIM Test to verify your DKIM setup.
Mailgun with Other Email Services
Transactional email services like Mailgun are often used alongside a primary email provider and possibly a marketing email platform. Here are common combinations:
Mailgun + Google Workspace:
v=spf1 include:_spf.google.com include:mailgun.org ~all
Mailgun + Microsoft 365:
v=spf1 include:spf.protection.outlook.com include:mailgun.org ~all
Mailgun + Google Workspace + Mailchimp:
v=spf1 include:_spf.google.com include:mailgun.org include:servers.mcsv.net ~all
Each include adds to your DNS lookup count. If you're using several services, check your total with the tool above. If you're approaching the limit, see our guide on what to do when your SPF record gets too long or learn about SPF flattening. For guidance on combining providers, see SPF for multiple ESPs. Need help generating the right record? SPF Creator can build it for you.
Complete Email Authentication for Mailgun
For the strongest deliverability, configure all three authentication protocols:
SPF — Add include:mailgun.org to your SPF record (what this guide covers).
DKIM — Add the TXT records Mailgun provides during domain setup. Verify them at DKIM Test.
DMARC — Once SPF and DKIM are both working, add a DMARC record. Start with p=none to monitor authentication results, then tighten to p=quarantine or p=reject once you're confident all legitimate email is passing.
Together, these three protocols protect your domain from spoofing and improve inbox placement.
Verifying Your Setup
After adding all the DNS records, confirm everything is working:
- Check your SPF record with the tool above. Verify it's valid, includes
mailgun.org, and stays under 10 DNS lookups. - Check Mailgun's verification status. In the Mailgun dashboard under Sending > Domains, your domain should show all records verified.
- Send a test email. Use Mailgun's dashboard or API to send a test to a Gmail address. Open it, click the three dots, select "Show original," and look for
spf=passanddkim=pass. - Run a full deliverability check at Deliverability Checker to see your complete authentication status.
Monitor Your SPF Records
Checking once is good. Monitoring continuously is better. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.
References
- RFC 7208: Sender Policy Framework (SPF) — The current SPF specification
- Mailgun: Getting Started — Official Mailgun setup documentation
Never miss an SPF issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring