Published March 21, 2026 · Last updated March 21, 2026
GoHighLevel uses Mailgun (via LeadConnector) to send emails from your domain. For this to work correctly — and for your domain to show as "Verified" in GoHighLevel — Mailgun requires specific DNS records on your sending subdomain. This article explains each record type, what it does, and why it's needed.
What it is: SPF (Sender Policy Framework) is a TXT record that tells receiving email servers which services are authorized to send email on behalf of your domain.
What Mailgun needs: A TXT record on your sending subdomain (e.g., mg.yourdomain.com) with a value that includes include:mailgun.org. A typical SPF record looks like: v=spf1 include:mailgun.org ~all
Why it matters: Without SPF, receiving servers can't confirm that Mailgun is authorized to send email from your subdomain, which can cause emails to be flagged as suspicious or rejected.
What it is: DKIM (DomainKeys Identified Mail) uses cryptographic signatures to verify that an email was sent by an authorized server and wasn't tampered with in transit.
What Mailgun needs: Two CNAME records on your sending subdomain that point to Mailgun's DKIM signing keys. These are typically named pic._domainkey.mg.yourdomain.com and k1._domainkey.mg.yourdomain.com (the exact names are provided by Mailgun for your domain).
Why it matters: DKIM is what removes the "via mailgun.org" warning. When DKIM is correctly configured, emails are signed with your domain's identity instead of Mailgun's.
What it is: MX (Mail Exchange) records tell email servers where to deliver email sent to your domain.
What Mailgun needs: Two MX records on your sending subdomain pointing to mxa.mailgun.org (priority 10) and mxb.mailgun.org (priority 10). These are placed on the sending subdomain, not on your root domain — your root domain's MX records (for Google Workspace, Microsoft 365, etc.) remain unchanged.
Why it matters: MX records on the sending subdomain allow Mailgun to receive bounce notifications and handle inbound routing for that subdomain.
What it is: A CNAME record used for open tracking and click tracking in your emails.
What Mailgun needs: A CNAME record (typically email.mg.yourdomain.com) pointing to mailgun.org. This allows Mailgun to rewrite tracking links to use your domain instead of a generic Mailgun URL.
Why it matters: Without the tracking CNAME, open/click tracking links in your emails use Mailgun's domain, which can look suspicious to recipients and may affect deliverability.
What it is: DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a policy record that tells receiving servers what to do when SPF or DKIM checks fail.
What Mailgun needs: A TXT record on your sending subdomain with a DMARC policy. A basic policy looks like: v=DMARC1; p=none; (monitor mode) or v=DMARC1; p=quarantine; (enforcement mode).
Why it matters: DMARC ties SPF and DKIM together and provides a clear signal to receiving email servers about your authentication posture. Domains without DMARC are increasingly penalized by major email providers.
All five record types work together to establish your sending subdomain as a legitimate, verified sender through GoHighLevel + Mailgun. Missing any one of them can leave your domain in "Pending" or "Failed" status, or cause the "via mailgun.org" warning to appear.
FixMySender scans your sending subdomain for all five record types, identifies exactly what's missing or misconfigured, and generates the correct records formatted for your specific DNS provider.
Need help with your domain verification?
Get Verified Now