How to Create an SPF Record for Mailgun
Learn how to create an SPF record for Mailgun. Step-by-step guide to adding the correct SPF include for reliable transactional email delivery.
Mailgun is a developer-focused transactional email service owned by Sinch (formerly Pathwire). If you're running a SaaS product, web application, or any system that sends automated emails -- password resets, order confirmations, notifications -- there's a good chance Mailgun is handling the delivery. But sending through Mailgun without an SPF record means receiving mail servers can't verify those messages are legitimate. The result is emails landing in spam or being rejected outright.
This guide walks you through setting up the correct SPF record for Mailgun so your transactional emails reach the inbox every time.
The SPF Include Value for Mailgun
Here's the include you need for Mailgun:
include:mailgun.org
A complete SPF record with only Mailgun looks like this:
v=spf1 include:mailgun.org -all
Mailgun uses mailgun.org -- not mailgun.com -- for its SPF infrastructure. This is confirmed in Mailgun's domain verification guide. Make sure you use the .org domain or your SPF record won't authorize the correct sending servers.
Dedicated IP Users
If you're on a Mailgun plan with a dedicated sending IP, you have an additional option. Instead of (or alongside) the include, you can authorize your specific IP address directly:
v=spf1 ip4:198.51.100.25 -all
Using ip4 instead of include gives you tighter control and uses zero DNS lookups for that mechanism. However, most Mailgun users are on shared IPs and should stick with include:mailgun.org.
Step-by-Step: Creating Your Mailgun SPF Record
Verify your sending domain in Mailgun
Log in to your Mailgun dashboard and go to Sending > Domains. Add your domain if it's not already listed. Mailgun will display the DNS records you need to add, including SPF and DKIM values.
Generate your SPF record
Use the free SPF record generator to build your SPF record. Select Mailgun from the provider list and add any other services that send email from your domain. The tool creates the correct syntax automatically.
Log in to your DNS provider
Go to the DNS management dashboard for your domain. This might be your registrar (like GoDaddy, Namecheap, or Cloudflare) or a separate DNS host.
Check for an existing SPF record
Look through your TXT records for any entry starting with v=spf1. If one exists, you need to edit it -- not create a second one. A domain must have exactly one SPF record.
Add or update the TXT record
If you don't have an SPF record, create a new TXT record with the Name set to @ (your root domain) and the Value set to your SPF record. If you already have one, edit it and add include:mailgun.org before the all mechanism.
Save and wait for propagation
Save the record. DNS changes typically take a few minutes to 48 hours to propagate depending on your provider. Cloudflare propagates in seconds; others may take longer.
Common SPF Record Combinations With Mailgun
Mailgun handles transactional email, but most businesses also use a separate provider for team email. Here are the most common combinations:
| Setup | SPF Record | Est. Lookups |
|---|---|---|
| Mailgun only | v=spf1 include:mailgun.org -all | ~2 |
| Mailgun + Google Workspace | v=spf1 include:_spf.google.com include:mailgun.org -all | ~5 |
| Mailgun + Microsoft 365 | v=spf1 include:spf.protection.outlook.com include:mailgun.org -all | ~4 |
| Mailgun + Google + Mailchimp | v=spf1 include:_spf.google.com include:mailgun.org include:spf.mandrillapp.com -all | ~7 |
| Mailgun + Microsoft 365 + HubSpot | v=spf1 include:spf.protection.outlook.com include:mailgun.org include:spf.hubspot.com -all | ~6 |
SPF has a 10-lookup limit. Each include uses at least one lookup, and nested includes add more. If you're combining multiple providers, use SPF Record Check to count your total lookups and make sure you're within the limit.
Build your SPF record in seconds
Select your email providers and generate a valid SPF record -- no DNS expertise needed.
Verifying Your Mailgun SPF Record
Once DNS changes have propagated, verify that everything is working correctly.
Go to SPF Record Check and enter your domain. The tool will show your published SPF record, validate the syntax, check for duplicate records, and count DNS lookups. Confirm that include:mailgun.org appears in the record and that no errors are flagged.
You can also send a test email through Mailgun's API or SMTP and check the headers on the receiving end. Look for Authentication-Results: spf=pass to confirm that Mailgun's sending servers are authorized by your SPF record. Mailgun's dashboard also shows delivery and authentication status for each message, which helps with debugging.
Common Mailgun SPF Mistakes
Using mailgun.com Instead of mailgun.org
The most common mistake is using include:mailgun.com in your SPF record. Mailgun's SPF infrastructure lives at mailgun.org. Using the wrong domain means their sending servers won't be authorized, and your emails will fail SPF checks silently.
Creating a Second SPF Record
If you already have an SPF record for another provider (like Google Workspace), don't add a separate TXT record for Mailgun. Two SPF records on the same domain cause a permerror that breaks SPF entirely. Edit your existing record and add the Mailgun include alongside your other providers.
Forgetting Subdomain Configuration
Mailgun recommends setting up a subdomain (like mg.yourdomain.com) for sending rather than using your root domain. If you've configured Mailgun on a subdomain, the SPF record needs to go on that subdomain -- not on the root domain. Check your Mailgun domain settings to confirm which domain you're actually sending from.
Not Updating After Switching to a Dedicated IP
If you upgrade from Mailgun's shared IP pool to a dedicated IP, you can optionally switch from include:mailgun.org to a specific ip4 mechanism. If you keep the include, it still works -- but the dedicated IP gives you more control. Either way, make sure your SPF record reflects your current Mailgun setup.
Complete Your Email Authentication
SPF tells receiving servers which IP addresses can send email for your domain, but it's only one layer of protection. For full email authentication, you need all three protocols working together:
- DKIM adds a cryptographic signature to each outgoing message. Mailgun provides DKIM keys during domain setup that you add as CNAME or TXT records. Use DKIM Creator to generate your DKIM configuration.
- DMARC ties SPF and DKIM together and tells receiving servers what to do when a message fails authentication. Use DMARC Creator to build your DMARC policy.
Setting up all three protocols is the best way to protect your domain from spoofing and maximize your inbox placement rates.
Related Articles
Never miss an SPF issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring