Troubleshooting For Email Subdomain

Why Do I Need to Verify My Domain?

Mailgun requires domain verification for two primary reasons. First, it confirms that you are the owner of the domain, preventing unauthorized senders from using your domain in our platform. Second, the SPF and DKIM records authorize our SMTP servers to send on behalf of your domain. This serves to significantly improve your deliverability - our specialty!

DNS records can be a bit tricky, but if you know a few tips, you can greatly enhance your success with the process. Let’s take a look at some common issues seen when attempting to verify your domain.

I Created My Records, but Mailgun Does Not See Them.

You always want to double-check any changes you make to your DNS configuration via both a local and a public query. Local queries can be performed using built-in utilities like dig (Linux/Unix) and nslookup (Windows). 

To verify via a dig command, the syntax is: dig -t <record type> <hostname>

To verify via nslookup,the syntax is: nslookup -q=<record type> <hostname>

In some cases, there might be a local DNS server within your network that will take precedence over public queries. Even if you don’t have a local DNS server, we recommend performing a secondary public query for your domain. One great tool is What’s My DNS - What’s My DNS will query multiple servers around the globe to best gauge the propagation of your changes. 

To use, just enter your hostname and select the record type from the options present in the dropdown.

  • If the correct value is returned - congratulations! The record was successfully created.
  • If you do not see the correct value (or see all red X’s) - something's not quite right yet. Make sure to double-check your configuration and correct your DNS setup as needed.

Note: Some DNS provider's panels will automatically append the root domain namefollowing whatever's placed in the hostname value; for instance, if your domain is, you might only need "mail" in the hostname field, or you could be creating a record for by accident. To help ensure productive use of your time, reach out to your DNS provider to find out how their panel operates.

The DKIM Record Is Verified, but the SPF Is Not

It takes two TXT records to verify your domain; SPF and DKIM. If everything looks good with your DKIM record, but not with your SPF, here are a few elements to check:

  • There can only be 1 SPF record per hostname. If your hostname has more than 1 SPF record, the records will need to be merged into a single value. 
In this case, the issue is occurring due to the separation of the values into two separate entries. The fix is simple - just combine them. You can place the Mailgun include directive ( anywhere after v=spf1 and before ~all. The new value would be: 

v=spf1 ip4: include:smtp.domain.tld ~all

Note: Make sure that your SPF record doesn't exceed 10 lookups, or you'll run into issues.

  • If the hostname has a CNAME in addition to any other record type (i.e. TXT, A, etc), the CNAME will take precedence. 

To resolve this and verify the TXT, the CNAME would need to be removed from the hostname. Alternatively, another sending subdomain would need to be used with the Mailgun account, such as (for this example) mg.domain.tld.

The Records Are Resolving, but Mailgun Still Says That the Domain Is “Unverified”

Depending on the DNS hosting provider, records can take up to 24-48 hours to fully propagate. A manual verification can be attempted if 24 hours have already passed and the records are confirmed correct via both local and public queries. 

To perform a manual verification and update the DNS records cache, log into your Mailgun control panel. If you're using our classic UI (options across the top, with a silver background) you can follow these instructions: 

  • Click Domains 
  • Select your domain's name 
  • Under Domain Verification & DNS select Check DNS Records Now.

If you're using our beta UI (options displayed down the left-hand side on a dark column): 

  • Click Messages.
  • Select your specific domain.
  • Click Settings. 
  • Select DNS Records. 
  • Click the green Check DNS Records Now button.

Other DNS Records - Optional

While the two TXT records (SPF and DKIM) are all that's required to send messages via Mailgun, you do also have the option to add MX and CNAMErecords, if you choose. The process for adding these optional records is exactly the same as adding the required TXT records.

MX records are really only needed if you're looking to receive incoming mail for the exact domain or domains you have verified in your Mailgun account; keep in mind - you don't want to point your domain's MX records to Mailgun if you already have incoming mail setup elsewhere. If you do, adding Mailgun MX records will break this configuration, and you won't receive your mail as you have previously. 

Note: You only ever want to have one source specified for your MX records, otherwise servers get confused. Bad things happen when servers get confused.

A CNAME record is needed only if you're looking to enable our tracking features, keeping detailed records of Clicks, Opens, and/or Unsubscribes. 

If you are still experiencing any issues after the domain's DNS records are publicly resolving, just reach out to our Support team via the Support tab in your Mailgun control panel!

Which Method Works Best for You?

To get your sending off the ground, after you've got your domain added and fully configured, you need to decide which of our two methods you're going to use; SMTP or API. You'll be using one of the two methods to send via our platform using a sending application of your choice. 

Both methods work very well - it's all about what your use case needs happen to be, as well as your personal preferences. At a glance:


  • Flexible with existing applications
  • Less technical/coding knowledge not necessary
  • Open protocol


  • Faster (three times faster!)
  • More technical/coding knowledge necessary; 
  • No need to craft a MIME (message body) - we assemble it on our side!
  • Better for large scale sending; more volume, to more recipients, with less effort

How Do We Put This Into Practice?

Here's a snapshot of sending via Mailgun with our API:

Here's sample code for sending an email with cURL:


Clicking on links in Grip emails throws a privacy error in Chrome browser

This is because your top level domain has a Strict-Transport-Security policy that includes all subdomains. At Grip, we use a sub domain for email tracking of clicks and opens only work over HTTP and not HTTPS. Because the top level domain now has instructions that all subdomains only be accessed using HTTPS, clicking in Grip emails throws an error because clicks are tracked through the subdomain that only works using HTTP.To support click tracking, please disable HSTS for all subdomains by removing "includeSubDomains" from your web server for your top level domain website.