You added your domain to Mailgun, copied the DNS records into your registrar, clicked the verify button, and nothing happened. The verification status still shows "Unverified" and your emails are stuck in a sandbox that can only send to authorized recipients. This is one of the most common frustrations developers face when setting up Mailgun for the first time.
The good news is that DNS verification failures almost always come down to a small set of predictable issues. This guide covers every common cause and the exact steps to fix each one.
Understanding Domain Authentication Records
Mailgun requires you to add several DNS records to prove domain ownership and enable email authentication. The two most critical records are SPF and DKIM, both implemented as TXT records in your DNS configuration.
SPF stands for Sender Policy Framework. This record publishes a list of servers that are authorized to send email on behalf of your domain. When a receiving mail server gets a message claiming to be from your domain, it checks the SPF record to verify that the sending server is on the approved list. If the server is not listed, the message is more likely to be flagged as spam or rejected entirely.
DKIM stands for DomainKeys Identified Mail. This record contains a public cryptographic key that receiving servers use to verify a digital signature attached to every email you send through Mailgun. The signature proves that the email content was not altered during transit and that it genuinely originated from an authorized sender.
Common Verification Failures and Fixes
The most frequent cause of verification failure is adding DNS records to the wrong domain or subdomain. If Mailgun instructs you to add records for mg.yourdomain.com but you add them to yourdomain.com without the mg prefix, verification will fail every time. Double check that the hostname field in your DNS settings exactly matches what Mailgun specifies, including any subdomain prefixes.
The second most common issue is DNS propagation timing. After adding or modifying DNS records, the changes need to propagate across the global DNS network. Most modern providers like Cloudflare propagate changes within seconds, but some traditional registrars can take up to 48 hours. If you just added your records, wait at least 30 minutes before troubleshooting further.
Another frequent problem is conflicting SPF records. Your domain can only have one SPF TXT record. If you already have an existing SPF record from another email service like Google Workspace or Microsoft 365, you cannot simply add a second SPF record for Mailgun. Instead, you need to merge both services into a single SPF record by including both authorization directives in one TXT value.
Verifying Your Records Independently
Before relying on Mailgun verification button, you should verify your DNS records independently using a tool like MXToolbox or the dig command in your terminal. These tools query actual DNS servers and show you exactly what records are currently published for your domain.
Run a TXT record lookup for your sending subdomain and confirm that both the SPF and DKIM values appear correctly. Compare the exact text strings character by character with what Mailgun displays in your dashboard. Even a single extra space or missing character will cause verification to fail.
Setting Up MX Records for Inbound Routing
If you want Mailgun to handle inbound email receiving in addition to outbound sending, you also need to add MX records pointing to Mailgun servers. These records are separate from the SPF and DKIM authentication records and serve a completely different purpose.
Be extremely careful when adding MX records if your domain already receives email through another provider. Adding Mailgun MX records without removing or correctly prioritizing your existing records will cause email routing conflicts that can result in lost messages. If you only need outbound sending, skip the MX records entirely.
DMARC Alignment for Maximum Deliverability
After SPF and DKIM are verified, the final step for maximum deliverability is adding a DMARC record. DMARC stands for Domain based Message Authentication, Reporting, and Conformance. It tells receiving servers what to do when an email fails SPF or DKIM checks: do nothing, quarantine it, or reject it outright.
Start with a monitoring only DMARC policy that reports failures without blocking any email. This lets you identify authentication problems before enforcing strict rejection policies that could accidentally block legitimate messages from reaching your customers.
Get Your Email Verified and Delivering
Every hour your domain stays unverified is an hour your transactional emails are stuck in a testing sandbox, unable to reach real customers. DNS configuration errors are fixable, but they require precision and patience to diagnose correctly.
We troubleshoot and resolve email authentication issues routinely for businesses that need their systems working immediately. Subscribe to Surefire Studios today and let us handle the technical complexity so your emails deliver reliably from day one.