Fix DMARC Failure with Mailgun Domain Mismatch

Mar 11, 2026 · Joey · 3 min read

Why Is DMARC Failing on My Mailgun Emails?

The most common reason DMARC fails with Mailgun is a domain alignment mismatch. Your DMARC record requires that the domain in the visible From header matches the domain used for SPF or DKIM authentication. When you send through Mailgun using their shared domain (e.g., sandboxXXXX.mailgun.org) but your From address is you@yourdomain.com, neither SPF nor DKIM will align — and DMARC fails.

This is not a bug. It is working exactly as designed. DMARC is telling you that the authentication chain does not match your sending identity.

What Does "Alignment" Mean in DMARC?

DMARC alignment checks whether the domain in your email's From header matches the domain that passed SPF or DKIM:

CheckWhat It Compares
SPF alignmentFrom header domain vs. Return-Path (envelope sender) domain
DKIM alignmentFrom header domain vs. DKIM signing domain (d= tag)

For DMARC to pass, at least one of these must align. If neither does, DMARC fails regardless of whether SPF and DKIM individually pass.

How to Fix It: Step by Step

Step 1: Add Your Custom Domain in Mailgun

Stop using the Mailgun sandbox domain. In your Mailgun dashboard:

  1. Go to SendingDomains
  2. Click Add New Domain
  3. Enter your domain (e.g., mail.yourdomain.com or yourdomain.com)

Step 2: Configure DNS Records

Mailgun will provide you with DNS records to add. You will need:

SPF record — Add Mailgun's sending IPs to your SPF record:

v=spf1 include:mailgun.org ~all

If you already have an SPF record, merge the include:mailgun.org into your existing record. Do not create a second SPF TXT record — only one is allowed per domain.

DKIM record — Mailgun generates a DKIM key pair for your domain. Add the provided TXT record:

smtp._domainkey.yourdomain.com  TXT  "k=rsa; p=MIGfMA0GCSq..."

CNAME tracking record — Mailgun may also ask for a CNAME for click/open tracking.

Step 3: Verify Domain in Mailgun

Click Verify DNS Settings in the Mailgun dashboard. All records should show green checkmarks. If verification fails, DNS propagation can take up to 48 hours, but usually completes within minutes.

Step 4: Confirm DMARC Alignment

Send a test email and check the headers. You should see:

Authentication-Results:
  dkim=pass header.d=yourdomain.com
  spf=pass
  dmarc=pass

The critical part is header.d=yourdomain.com in the DKIM result — this confirms DKIM alignment with your From address.

Common Mistakes That Cause Mailgun DMARC Failures

Using the sandbox domain in production. The sandbox domain (sandboxXXXX.mailgun.org) will never align with your custom domain. It is meant for testing only.

Sending from a subdomain without DKIM. If you set up Mailgun on mail.yourdomain.com but send from yourdomain.com, DKIM alignment will fail under strict mode. Either send from the same domain or use relaxed alignment in your DMARC record:

v=DMARC1; p=quarantine; aspf=r; adkim=r; rua=mailto:dmarc@yourdomain.com

Having two SPF records. Only one SPF TXT record is allowed per domain. If you add a second one, both will fail. Merge all include: directives into a single record.

Forgetting to update the Return-Path. Mailgun lets you set a custom Return-Path domain (envelope sender). If this is still set to a Mailgun domain, SPF alignment will fail. Configure it to match your sending domain.

How Do I Check If My Mailgun Emails Pass DMARC?

The fastest way is to inspect the raw email headers of a received message. Look for the Authentication-Results header. It will show pass/fail for SPF, DKIM, and DMARC individually.

For ongoing monitoring, set up a DMARC rua address to receive aggregate reports. These XML reports show every authentication result for email sent from your domain — including which messages are failing and why.

FAQ

Can I use Mailgun's shared IP pool and still pass DMARC?

Yes, as long as you have configured a custom sending domain with proper DKIM signing. SPF alignment may not work with shared IPs (since the Return-Path may still use a Mailgun domain), but DKIM alignment will pass if your domain's DKIM key is set up correctly.

Does Mailgun support DMARC alignment for subdomains?

Yes. If you configure mail.yourdomain.com in Mailgun and send from mail.yourdomain.com, alignment works under both strict and relaxed modes. If you send from yourdomain.com but authenticate via mail.yourdomain.com, you need relaxed alignment (adkim=r).

How long does it take for DNS changes to propagate?

Most DNS changes propagate within 5–30 minutes, though it can take up to 48 hours in rare cases. Use a tool like dig or an online DNS checker to verify your records before testing.

← Back to Blog