Mailgun SPF and DKIM
Mailgun is straightforward compared with some platforms, but confusion still appears around whether to use the root domain, a subdomain and how much traffic should share the same sender identity.
Choose the right domain
Many senders use a dedicated subdomain for Mailgun rather than the root domain. This helps isolate sender reputation and keeps operational changes away from primary business mail.
Authentication records
Publish the DNS records Mailgun gives you for sending, tracking and DKIM signing. Confirm they resolve publicly before testing at scale.
What SPF does here
SPF authorises Mailgun infrastructure to send for the return-path domain. It does not replace the need for DKIM and DMARC.
Validate live mail
Send a message, inspect headers and confirm DKIM passes using the expected signing domain and that DMARC alignment behaves as intended.