In Mailgun, go to Sending > Domains and add your domain. Mailgun generates a DKIM TXT record with a unique selector. Add this TXT record to your DNS at the specified hostname. Click Verify in Mailgun. Once verified, all email sent through Mailgun for that domain will be DKIM-signed with a 2048-bit key.
DKIM for Mailgun: Setup Guide
Add Your Domain
- Log into Mailgun and go to Sending > Domains
- Click Add New Domain
- Enter your domain (Mailgun recommends a subdomain like
mg.yourdomain.com) - Mailgun generates the required DNS records
Add the DKIM DNS Record
Mailgun provides a TXT record for DKIM:
Host: smtp._domainkey.mg.yourdomain.com (or your chosen subdomain)
Type: TXT
Value: The full DKIM public key string starting with k=rsa; p=...
Copy the exact value from Mailgun. The record will be long — make sure your DNS provider doesn't truncate it.
Practitioner note: Mailgun uses TXT records instead of CNAMEs, which means you're responsible for key rotation. I recommend scheduling a reminder every 12 months to rotate your DKIM key — it's easy to forget since there's no automation.
Verify the Domain
Go back to Sending > Domains in Mailgun and click Verify DNS Settings. Mailgun checks for all required records (DKIM, SPF, and MX).
Green checkmarks mean you're good. If DKIM fails:
- Wait for DNS propagation
- Check that the TXT record wasn't truncated by your DNS provider
- Verify the hostname matches exactly
Root Domain vs Subdomain
Mailgun recommends using a subdomain (like mg.yourdomain.com) rather than your root domain. Here's why:
| Setup | Pros | Cons |
|---|---|---|
| Root domain | Simple, everything under one domain | Reputation shared with all email, DNS conflicts possible |
| Subdomain | Isolated reputation, no conflicts | Requires DMARC relaxed alignment or subdomain DMARC |
For most setups, a subdomain is the right call. It keeps Mailgun's sending reputation separate from your corporate email.
Practitioner note: GHL agencies that use Mailgun as their SMTP provider almost always should use a subdomain. When you're sending for multiple clients, isolating the Mailgun traffic from your agency's main domain is critical.
Confirm DKIM Is Working
Send a test email and check headers:
Authentication-Results: mx.google.com;
dkim=pass [email protected] header.s=smtp
If you're using a subdomain, make sure your DMARC policy handles subdomain alignment. With relaxed alignment, mg.yourdomain.com aligns with yourdomain.com.
For Mailgun configurations that need to integrate with your existing email infrastructure, book a consultation and I'll make sure everything plays nicely together.
Sources
- Mailgun: Verifying your domain
- Mailgun: DNS records for sending
- RFC 6376: DomainKeys Identified Mail (DKIM) Signatures
- MXToolbox: DKIM Record Lookup
v1.0 · April 2026
Frequently Asked Questions
How do I set up DKIM in Mailgun?
Add your domain in Mailgun's Sending > Domains section. Mailgun generates DNS records including a DKIM TXT record. Add it to your DNS and click Verify.
Does Mailgun use TXT or CNAME for DKIM?
Mailgun uses TXT records for DKIM by default. The record contains the public key directly, rather than delegating via CNAME.
What DKIM key size does Mailgun use?
Mailgun generates 2048-bit DKIM keys by default. This is the recommended key size for security and compatibility.
Can I use a subdomain with Mailgun?
Yes, and Mailgun recommends it. Using a subdomain like mg.yourdomain.com keeps your sending reputation isolated and avoids conflicts with other email services.
How do I rotate DKIM keys in Mailgun?
Since Mailgun uses TXT records, you'll need to generate a new key in the dashboard and update your DNS manually. There's no automatic rotation like CNAME-based providers offer.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.