How to set up DMARC for Mailgun

DMARC (RFC 7489) tells receiving mail servers what to do when a message claiming to be from your domain fails SPF or DKIM. You publish exactly one DMARC record at `_dmarc.<your-domain>`, regardless of which ESP you use — DMARC is a domain-level policy, not a per-sender configuration. Mailgun doesn't run DMARC for you, but their SPF + DKIM setup is what makes your DMARC checks pass.

Start every domain at `p=none` with a `rua` (aggregate report) address pointing somewhere you actually read. Watch the reports for two to four weeks to confirm 100% of legitimate mail is aligned, then progress to `p=quarantine` and finally `p=reject`. Skipping the monitoring step is the single most common way founders accidentally block their own mail.

Publish these DNS records

Add the following record(s) to your domain's DNS zone. Most registrars (Cloudflare, Route 53, Namecheap, GoDaddy) accept values exactly as shown.

• If you send through a Mailgun subdomain (e.g. `mg.your-domain.com`), the apex DMARC record applies — DMARC inherits down subdomains unless you publish a separate `_dmarc.mg` record.

Where in Mailgun

The DMARC configuration lives in Mailgun → Sending → Domains → <your-domain> → DNS records.

Verify the records

Once published, run the DMARC Checker on your apex domain to confirm the record parses, reporting URIs are valid, and the policy is what you intended.

Common pitfalls

• Mailgun's EU and US regions have different DNS values (different MX hosts for inbound, different DKIM key hosts). Make sure you're following docs for the region your account is in.
• Older Mailgun guides reference `domainkey` selectors literally; current accounts use the selector you chose in the dashboard.