MailerMonk
    01Free tools
    02Backlink agent03How it works04Pricing
    Sign inStart free trial
    PrivacyTerms
    Chapter · DKIM for Mailgun
    Revised 17 Jun 2026
    Guide · DKIM · Mailgun

    How to set up DKIM for Mailgun.

    Mailgun's authentication is API-driven and slightly more developer-oriented than SendGrid's. They issue both SPF and DKIM records when you add a domain.

    Afsan Rahmatullah
    Afsan RahmatullahMailerMonk

    DKIM (DomainKeys Identified Mail, RFC 6376) is the cryptographic signature attached to outgoing email so receivers can verify the message wasn't tampered with and that it actually came from a server authorized by your domain. To turn it on for Mailgun, you publish one or more DNS records at `<selector>._domainkey.<your-domain>` containing the public key matching the private key Mailgun uses to sign.

    Most ESPs (including Mailgun) ask you to publish CNAME records that point at hosted keys they manage. This is preferable to publishing the raw key text yourself — when the provider rotates keys, your DNS keeps pointing to the rotated key and nothing breaks.

    Publish these DNS records

    Add the following record(s) to your domain's DNS zone. Most registrars (Cloudflare, Route 53, Namecheap, GoDaddy) accept values exactly as shown.

    Record · TXT
    Type
    TXT
    Host
    <selector>._domainkey
    Value
    k=rsa; p=<KEY_FROM_MAILGUN>
    Why this matters
    • The selector is whatever you choose in Mailgun's dashboard — `mailo`, `mg`, `s1`, etc. Default in newer accounts is `pic`.
    • Mailgun publishes the raw RSA public key as TXT, not a CNAME. The advantage: no dependency on Mailgun's hosted-key DNS. The cost: when Mailgun rotates keys, you must update DNS too.

    Where in Mailgun

    The DKIM configuration lives in Mailgun → Sending → Domains → <your-domain> → DNS records.

    Verify the records

    After the records propagate, run the DKIM Checker against your domain with each selector to confirm the public key resolves and parses correctly.

    From a terminal
    dig +short TXT <selector>._domainkey.your-domain.com
    Run the free DKIM checker

    Common pitfalls

    Pitfall
    • Mailgun's EU and US regions have different DNS values (different MX hosts for inbound, different DKIM key hosts). Make sure you're following docs for the region your account is in.
    • Older Mailgun guides reference `domainkey` selectors literally; current accounts use the selector you chose in the dashboard.
    After you publish

    Want to know if it actually keeps working?

    MailerMonk continuously watches your DKIM record, aggregate DMARC reports, and inbox placement — and pings you the moment something drifts. Free for the first domain.

    Start free trial

    About the author

    Afsan Rahmatullah
    Afsan Rahmatullah
    MailerMonk

    Building tools that keep cold email out of spam. Writes about deliverability, DMARC, and what actually moves inbox placement.

    Related · Mailgun

    Other records for Mailgun