Julien Liabeuf

MailGun and NameCheap: SPF and DKIM Validation

October 15, 2015 | 2 Minute Read | 41 Comments

When working on client projects, e-mail delivery is a primary concern. Most of my clients (most people in general I assume) use e-mail quite extensively for lead generation on their site.

Making sure e-mails are correctly delivered is crucial. Unfortunately, the basic way e-mails are sent out with website is quite unreliable. The common function used in PHP for instance is mail(). As a WordPress specialist, I very often work with its WordPress wrapper wp_mail().

What this function does is send the e-mails using the hosting server itself. This is very dangerous, especially when using shared hosting. Poor delivery and blacklisting are the two major risks.

Email Delivery Services

I'm not going to list all the reasons why you shouldn't use a hosting server to send out e-mails. I'm just going to say that it is more than recommended to use a dedicated e-mail delivery service. There are plenty available. Mandrill, MailGun, SendGrid, MailJet...

For all the small clients I've been working with, I've always used Mandrill (made by MailChimp). They offered a pretty nice free plan that was more than enough for small businesses. However, they stopped this free plan not long ago.

As I was working on yet another small business's site, I turned towards MailGun. It also is a well made delivery service. However, I encountered one problem when trying to validate the domain (mandatory to start using the service).

MailGun & NameCheap

I am a huge fan of NameCheap for domains management. Their prices are really good, and the support has always been outstanding for me.

Validating your domain on MailGun using NameCheap is not exactly done as described in MailGun documentation. I've been able to figure out how to make this work after a bit of research.

You're asked by MailGun to add an SPF and a DKIM record to your domain hosts. You can Google that around if you don't know what it is. Instead of just copy/pasting the records as MailGun shows them, here is what you wanna do.

SPF Record

With NameCheap, the SPF record should NOT contain the domain name as the host, but @ instead (which is basically a shorthand for your domain name).

The SPF record in NameCheap should look like this (the pattern is host | value | record type):

@ | v=spf1 include:mailgun.org ~all | TXT Record

Troubleshooting

If the SPF won't validate, you can check it with MXToolbox: http://mxtoolbox.com/SuperTool.aspx?action=mx:YOURDOMAIN.COM&run=toolpage

If it shows the correct SPF record, then just wait. If not, check your settings again.

DKIM Record

Regarding the DKIM record, two things need to be changed.

First of all, the host should NOT contain your domain name. It should simply be pic._domainkey.

Second of all, you want to add the DKIM version at the beginning of the value: v=DKIM1. Your record should look something like that (again: host | value | record type):

pic._domainkey | v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBVxKp59mzTBGjleRsxzLg0ESZcDRQSgwwBiUtsllnYNvGZRJbdyfe4rxpoi0+yQvetgrthyA3j2OMpI3IKzo5mFoKBO11wgS5mM8ryjkLCeQtyjtyU02LIDVTfxYY66WOavBvp/PiY+2erWnxqmW0QDB+HNLIaE+JV0dhp85vhxFWQIDAQAB | TXT Record

Troubleshooting

If the DKIM won't validate, you can check it with MXToolbox: http://mxtoolbox.com/SuperTool.aspx?action=dkim:YOURDOMAIN.COM:DOMAINKEY&run=toolpage#

When replacing DOMAINKEY, use the part that's before _domainkey and don't include any ..

If it shows the correct DKIM record, then just wait. If not, check your settings again.

41 Comments

I’ve been wondering what the hell was going on for two days. Couldn’t find anything on the Web to help me. That is, until I stumble upon your blog post. Thank you!

How did you find that solution?

Happy it helped someone Kim!

I was already familiar with the domainkey format with NameCheap so I just did that instead of following MailGun’s docs.

For the rest, I’ve been reading around how DKIM works and finally found a working configuration ?

Unfortunately MailGun’s support hasn’t been very helpful in this situation, that’s why I thought it’d be good to share the solution.

Julien,

Great tutorial, I have almost everything passing when making the correction with the DKIM record.

Now the issue is that the DKIM will not pass validation. Any ideas?

The error I’m getting is:

We couldn’t find this record when we checked your DNS records. Please check you’ve entered it correctly with your DNS provider.

I just added troubleshooting steps in the article ;)

Thanks for sharing. Question on the SPF record. If my mailgun domain uses a subdomain like mg.example.com, do I still use @ as the host in my SPF record?

Well that’s a good question. If I’m correct, the SPF is linked to a TLD so I would go for using @ still. I’d be curious to have your confirmation though after you tried it.

I can give additional info. I just set this up with a subdomain. And your website helped, there are no errors, and it’s very annoying.

If you use a subdomain: mg.example.com or email.mg.example.com the following happens:

I used “mg” as the host value of the SPF record. Not @ symbol.

For the other I used “mailo._domainkey.mg” I did have to add the DKIM as suggested here.

Hope that helps others with their setup!!

Thank you Dan, Julien, and also Andres (farther down). This helped a lot.

Thanks for taking the time to post this here, this solution worked for me as well (using the mg. subdomain).

I followed the instructions in the post and still wouldn’t verify.

Without this post I won’t be able to finish the mailgun domain verification.

Thanks for sharing!

Thank you, Julien! Had the same issue using SparkPost and Namecheap.

Your post showed me the light!

My domain validated easily following MailGun’s instructions, but I get an error (“Mailgun HTTP API Test Failure”) when using the “Test Configuration” button in Wordpress. I get similar results when using SMTP with and without authentication.

Have you experienced anything like this, if so what was your fix?

The only times I’ve had this problem is when the domain was not properly validated. Does Mailgun tell you that everything is validated for your domain?

Thanks for sharing. Wouldn’t have finished the configuration without your post.

Aaaaaaaand thanks again for the clarifications :)

This was so immensely helpful, such a pain that the docs are incorrect/incomplete on mailgun. But your post and configs did the trick!

“When replacing DOMNAIKEY, use the part that’s before _domainkey and don’t include any .”

This is so confusing.

If my domain is streamhunt.io - what am I using as the host?

Are you trying to check your record with MXToolbox? If so, the URL to use should be something like http://mxtoolbox.com/SuperTool.aspx?action=dkim:streamhunt.io:DOMAINKEY&run=toolpage# where DOMAINKEY is the string that Mailgun gave you (eg. pic if Mailgun gave you pic._domainkey).

If you’re talking about the host record through, the host should simply be xxx._domainkey.

Thanks for this really helpful info!

Is there also something we need to do differently with the CNAME record that Mailgun suggests we add to DNS settings? This is what they suggest:

Type: CNAME Host: email.**.com Value: mailgun.org

However Mailgun isn’t picking up any DNS settings after I add the above to Namecheap DNS. Mxtoolbox seems to recognize the changes just fine.

There is nothing to change for the email.xxx record. I guess you just need to give it some time. Mailgun is really slow to pick up changes.

Thank you so much!

Mailgun should update their instructions! I took me few hours to trying to figure out the issue and you solve it in minutes.

By the way, Dan Seals response for using a subdomain was the key as well.

Thanks both of you! :D

My pleasure Gabo! And thanks for confirming Dan’s message :)

Merci!!!

Hi! It looks like Namecheap has updated their DNS setup tool. Now you directly make TXT records, and there are no options available for making the record types you detail here.

Is it still the same procedure?

Thanks!

It’s exactly the same, Ryan. Just add a new TXT record as described in the article, using @ as the host.

Thanks a lot Julien, wouldn’t have solve this without your blog and Dan’s reply on subdomains. In case it help to clarify the info in the blog to beginners like me I’ll share what I used for my setup with subdomain ‘mail’ (Same as Dan’s):

For the DKIM: HOST: xx._domainkey.mail VALUE: Included v=DKIM1; as suggested above (where ‘xx’ are the two letters appearing before ‘._domainkey’ in the Host section of the DKIM record provided by Mailgun.

For SPF: HOST: mail

The site recommended above validated the SPF record instantly although it took some time for Mailgun to recognise the change. On the contrary, I couldn’t validate the DKIM through the site whilst eventually was approved by mailgun.

Thanks again Julien!

Hey, Andres. Glad this post helped you, and thanks for sharing the info about using sub-domains :) Hopefully it will help others, too.

Needed this info to run mailgun on namecheap. couldn’t have done it without the post and a few of the comments. thank you!

Hi Julien,

I can’t seem to make my DKIM verification go through.

I hope you can help me out here…

For host name, I’ve input: k1._domainkey

Regarding the value, I don’t know if just copying and pasting should be the answer because I’ve noticed the capitalization of some letters change (on namecheap) when I paste the value.

Hope to here from you soon,

Thank you!

The value should indeed be a simple copy/paste. Have you tried checking the record using MX Toolbox?

Thank you so much. I was hacking at this for several hours as well!

As of January 2017, I only got it working by providing “mg” and “pic._domainkey.mg” as the host names in the namecheap configuration.

Other than that, it did work fine!

Could be a new host that MailGun’s using. Thanks for reporting Xavier :)

Thanks for the troubleshooting help – made rookie mistake this warns about (for DKIM setup with Zoho):

“First of all, the host should NOT contain your domain name.”

You just saved me with this post. Thanks a lot!

Thank you so much! Hard to believe Mailgun doesn’t fix the instructions about the DKIM record so it’s not necessary to file a ticket for help that won’t come anyway. :-) With your help, finally got things right.

man, you have not clue how helpful this was … I’ve been at this a week. Thanks.

wow this is awesome, thanks. These changes propagated immediately. They really need to get on with this documentation

Hey man, thenk you so much for your article. I have a question now, how long it takes the SPF record to propagate? I’m in US and the DKIM was really fast but not the other one. So how long I have to wait?

Your SPF record should be propagated by now :D It usually takes up to 24 hours depending on the registrar.

Leave a Comment