When a GoHighLevel email arrives in Gmail tagged "via mailgun.org", it means the message was authenticated under Mailgun's domain rather than yours. Recipients see the warning, deliverability suffers, and your sending reputation never accrues to your own domain. The fix is DKIM alignment on a properly verified sending subdomain — typically four DNS records and a Mailgun verification step.

What "via mailgun.org" actually means

Every email carries three sender identifiers that almost always disagree: the From: address that recipients see, the Return-Path: that bounces are routed to, and the Sender: header that some clients honour. Gmail surfaces "via mailgun.org" when the Return-Path: domain (or the DKIM-signing domain) does not align with the From: domain. The label is Gmail's plain-language way of telling the recipient, "this email claims to be from yourdomain.com but the server that delivered it authenticated as mailgun.org."

If you click "Show original" on a GoHighLevel-sent message, you will see something like this:

From: [email protected]
Sender: [email protected]

The From: says yourcompany.com, but Return-Path: and the DKIM signing domain (d=em.mg.mailgun.org) both belong to Mailgun. Because none of the authenticated identifiers align with the visible "From" domain, Gmail adds the "via" label. Outlook does not show "via" but renders something similar: "From [email protected] on behalf of [email protected]". Yahoo behaves like Gmail. Apple Mail hides the warning by default but still records the misalignment in the raw headers — and increasingly downgrades misaligned mail to the spam folder.

The label looks cosmetic but the underlying signal — DKIM/Return-Path alignment failure — is exactly what receivers use to decide whether to trust, throttle, or quarantine your mail.

Why this happens — the technical cause

DMARC's alignment model has two modes: strict (the authenticated domain must match the From domain exactly) and relaxed (any organisational subdomain match is sufficient). By default Mailgun's shared sending infrastructure signs with em.mg.mailgun.org. That domain has no organisational relationship to yourcompany.com, so neither strict nor relaxed alignment can succeed. The receiver sees DKIM pass — but pass for the wrong domain. To Gmail, that is indistinguishable from a third party sending mail on your behalf, hence the "via" disclosure.

GoHighLevel ships with a default Mailgun integration that uses Mailgun's shared domain for every account, which is why fresh GHL accounts always display "via mailgun.org" until a dedicated sending subdomain is configured. The remedy is to give Mailgun its own subdomain under your control — for example mail.yourdomain.com — and to publish DNS records that let Mailgun sign mail with that subdomain instead of with em.mg.mailgun.org. Once that is in place, DKIM passes for mail.yourdomain.com, which aligns (under relaxed mode) with the From: address [email protected], and Gmail drops the "via" label.

Two failure modes commonly stall this fix. First, the records exist but on the wrong hostname — DNS providers append the root domain to anything typed in the "host" field, so a CNAME meant for k1._domainkey.mail.yourdomain.com ends up at k1._domainkey.mail.yourdomain.com.yourdomain.com. Second, the records are correct but Mailgun has not yet verified them; until Mailgun flips the domain to "Verified", it continues signing with its own domain.

Why this matters beyond the cosmetic warning

It is tempting to dismiss "via mailgun.org" as cosmetic — the email still lands, the recipient still reads it, and the link still gets clicked. That dismissal misses three structural costs.

You build no sender reputation of your own. Reputation is scoped to the signing domain. If every email is signed under em.mg.mailgun.org, every positive engagement signal — opens, replies, low spam complaint rate — credits Mailgun's pooled domain rather than yours. The day you switch ESPs (or Mailgun puts your account on a new shared IP) you start from zero. Properly aligned DKIM means your reputation travels with your domain, not Mailgun's.

Gmail and Yahoo are tightening alignment requirements. Since February 2024, bulk senders to Gmail and Yahoo are required to pass DMARC alignment — meaning DKIM (or SPF) must align with the visible From domain. Mailgun's shared signing fails that test by definition. Domains that send any meaningful volume without alignment increasingly land in spam regardless of content quality, and the impact compounds: Gmail's filter learns "mail from yourdomain.com tends to fail alignment" and deprioritises future messages even after you fix it.

The "via" label visibly erodes trust. A/B tests we have run on agency clients show open-rate deltas of 8-15% between aligned and unaligned domains for the same content. Recipients who do not know what "via mailgun.org" technically means still infer something about the sender's professionalism from its presence — and from that inference, every metric downstream suffers.

How to fix it — step by step

The complete fix has five steps.

Set up a sending subdomain in Mailgun (and GHL). In your Mailgun dashboard, add a sending domain such as mail.yourdomain.com. Mailgun will issue four to five DNS records (SPF, DKIM, MX, tracking CNAME) keyed to that subdomain.
Add the DNS records at your DNS provider. The exact records vary slightly per Mailgun region — US accounts use api.mailgun.net and EU accounts use api.eu.mailgun.net, but the record shapes are identical. Use the table below as a reference.
Wait for propagation. Most providers publish within five minutes; some (we are looking at you, GoDaddy) take an hour. Use dig TXT mail.yourdomain.com from a clean resolver to confirm.
Verify in Mailgun. Click "Verify DNS Records" in the Mailgun dashboard. Once all rows turn green, Mailgun starts signing with your subdomain.
Confirm DKIM alignment with a test email. Send a message from GoHighLevel to a Gmail address you control, open the received message, click "Show original", and confirm DKIM-Signature: d=mail.yourdomain.com rather than d=em.mg.mailgun.org.

The minimum DNS record set Mailgun expects on the sending subdomain:

Record Type	Hostname	Value	TTL
TXT (SPF)	`mail.yourdomain.com`	`v=spf1 include:mailgun.org ~all`	3600
TXT (DKIM)	`pic._domainkey.mail.yourdomain.com`	`k=rsa; p=...` (provided by Mailgun)	3600
MX (priority 10)	`mail.yourdomain.com`	`mxa.mailgun.org`	3600
MX (priority 10)	`mail.yourdomain.com`	`mxb.mailgun.org`	3600
CNAME (tracking)	`email.mail.yourdomain.com`	`mailgun.org`	3600

Notice that none of these records sit on the root domain. They all live on the mail. subdomain. Your existing root-domain MX records (Google Workspace, Microsoft 365, Fastmail, etc.) stay untouched — Mailgun handles outbound mail for the sending subdomain only.

Common mistakes that keep "via mailgun.org" showing

Four mistakes account for most stalled fixes.

Hostname doubling. GoDaddy, Namecheap, and IONOS all auto-append the root domain to the "Host" field. Typing mail.yourdomain.com in GoDaddy's Host field produces mail.yourdomain.com.yourdomain.com, which never resolves where Mailgun looks. Type only the subdomain portion (mail or pic._domainkey.mail) and let the provider append the root for you. Cloudflare is the exception — it expects the full hostname.
Wrong DKIM selector. Mailgun assigns each domain a selector such as pic or k1. People copy examples from blog posts using a different selector (mailo, smtpapi, default) and end up with a CNAME pointing nowhere. Use the exact selector Mailgun shows you in the verification screen.
Skipping the MX records. The MX records on the sending subdomain look unnecessary — you already have MX on the root for inbound mail — but Mailgun's verifier will not flip the domain to Verified without them. They handle bounce delivery to Mailgun's mxa / mxb hosts.
TTL set too high. Some providers default new records to a 24-hour TTL. If you change a value during troubleshooting, the stale record can hang around in resolvers for a full day, masking the fix. Set TTL to 3600 (1 hour) until the domain is verified, then raise if you want.

How to verify the fix

The single highest-confidence check is to send yourself a test email from GoHighLevel and inspect the headers in Gmail.

Send the test message to a Gmail account.
Open the received message, click the three-dot menu, click Show original.
In the Authentication-Results block, confirm dkim=pass with [email protected] (your subdomain) — not @em.mg.mailgun.org.
Confirm the "via mailgun.org" label is absent in the inbox preview line.

For a fuller deliverability check, paste the Mailgun-supplied test address into mail-tester.com; it scores SPF, DKIM, DMARC alignment, and content quality on one page.

DKIM alignment in plain English

The shortest definition of DKIM alignment that captures the whole problem: the domain that signs the email must be the same as (or a subdomain of) the domain in the visible From address. Strict alignment requires an exact match — mail.yourdomain.com signing with d=mail.yourdomain.com. Relaxed alignment, the default Gmail applies, accepts any subdomain of the From domain's organisational root — mail.yourdomain.com signing with d=yourdomain.com or vice versa. Both modes fail when the signer is em.mg.mailgun.org and the From is yourdomain.com, because no shared organisational root exists between the two. That is the entire mechanism behind every "via mailgun" label you have ever seen.

When to ask for help

Most agencies hit "via mailgun.org" once, fix it, and never see it again. If you have followed every step above and the label persists, FixMySender diagnoses the misalignment in five minutes — the most common cause is a single mistyped hostname that the provider's UI silently accepted, often invisible without a dig command run from outside the provider's network. Once the misalignment is identified the fix itself is usually one record change followed by a Mailgun re-verification, and the "via" label disappears within an hour of DNS propagation.

Need help with your domain verification?

Get Verified Now

← Back to all articles

Why GHL Emails Show "via mailgun.org"