DKIM (DomainKeys Identified Mail, RFC 6376) is the cryptographic signature attached to outgoing email so receivers can verify the message wasn't tampered with and that it actually came from a server authorized by your domain. To turn it on for Mailgun, you publish one or more DNS records at `<selector>._domainkey.<your-domain>` containing the public key matching the private key Mailgun uses to sign.
Most ESPs (including Mailgun) ask you to publish CNAME records that point at hosted keys they manage. This is preferable to publishing the raw key text yourself — when the provider rotates keys, your DNS keeps pointing to the rotated key and nothing breaks.
Publish these DNS records
Add the following record(s) to your domain's DNS zone. Most registrars (Cloudflare, Route 53, Namecheap, GoDaddy) accept values exactly as shown.
- Type
TXT- Host
<selector>._domainkey- Value
k=rsa; p=<KEY_FROM_MAILGUN>
- The selector is whatever you choose in Mailgun's dashboard — `mailo`, `mg`, `s1`, etc. Default in newer accounts is `pic`.
- Mailgun publishes the raw RSA public key as TXT, not a CNAME. The advantage: no dependency on Mailgun's hosted-key DNS. The cost: when Mailgun rotates keys, you must update DNS too.
Where in Mailgun
The DKIM configuration lives in Mailgun → Sending → Domains → <your-domain> → DNS records.
Verify the records
After the records propagate, run the DKIM Checker against your domain with each selector to confirm the public key resolves and parses correctly.
dig +short TXT <selector>._domainkey.your-domain.comCommon pitfalls
- Mailgun's EU and US regions have different DNS values (different MX hosts for inbound, different DKIM key hosts). Make sure you're following docs for the region your account is in.
- Older Mailgun guides reference `domainkey` selectors literally; current accounts use the selector you chose in the dashboard.