How to resolve Mailgun domain setup, DMARC, DKIM, BIMI, and IP blacklist issues?
Michael Ko
Co-founder & CEO, Suped
Published 7 May 2025
Updated 19 Aug 2025
6 min read
Dealing with email deliverability issues can feel like a constant uphill battle. From ensuring your domain is properly configured with your sending service to navigating the complexities of email authentication protocols and avoiding dreaded IP blacklists, there's a lot to manage. Many of us, especially those using platforms like Mailgun, encounter similar challenges that can significantly impact email performance.
I've personally seen how quickly seemingly small misconfigurations can snowball into major deliverability headaches, leading to emails landing in spam folders or, worse, not being delivered at all. The good news is that most of these issues are solvable with a systematic approach and a clear understanding of what each component does. Let's dive into how to tackle common Mailgun domain setup, DMARC, DKIM, BIMI, and IP blacklist problems, and get your emails reliably reaching the inbox.
Proper domain setup is the foundation of good email deliverability. For Mailgun users, this involves more than just adding your domain to the control panel. You need to verify it thoroughly, which typically means adding specific DNS records, including SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). These records act as digital signatures, telling recipient servers that your emails are legitimate and authorized to be sent from your domain.
A common issue I see is a DKIM misconfiguration. This could be due to an incorrect public key published in your DNS, a wrong selector, or even hidden characters copied during setup. It's crucial to ensure the DKIM record published in your DNS perfectly matches what your email service provider, like Mailgun, expects. Any discrepancy can cause authentication failures and impact your inbox placement. You can also explore a comprehensive overview of email authentication protocols.
Common SPF/DKIM issues
Duplicate SPF records: Having more than one SPF TXT record can invalidate your authentication. All SPF mechanisms should be combined into a single record. Learn how to properly set up SPF and DKIM.
Incorrect DKIM selector: Ensure the selector used in your DKIM record matches what Mailgun has provided. Small typos can lead to authentication failures.
DNS propagation delays: After updating DNS records, it can take up to 48 hours for changes to propagate globally. Patience is key, but consistent checking is advised.
Troubleshooting DMARC configuration and reporting
DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds upon SPF and DKIM, providing a policy layer that tells recipient servers what to do with emails that fail authentication. It also provides valuable reports, giving insight into who is sending email on behalf of your domain. A common frustration is when DMARC changes are not reflected in Mailgun. This usually points to an issue with your DMARC record's reporting addresses.
For Mailgun to provide DMARC results, your DMARC record's rua (aggregate report) tag needs to be configured correctly to send reports to Mailgun's DMARC backend (which is provided by Red Sift). Additionally, if you're trying to receive forensic reports via the ruf tag, you must include mailto: before the email address. Without this, some providers might not send reports, or your DMARC reporting service won't process them. This is a common oversight that I've seen many times.
Correcting your DMARC record
Ensure your DMARC record explicitly uses mailto: for any email addresses in the rua and ruf tags. For example, rua=mailto:reports@yourdomain.com.
This ensures that DMARC reports are correctly sent to the specified addresses, allowing you to monitor your domain's email authentication. Regularly monitoring these reports is key to quickly identifying and resolving issues. You can find more about implementing DMARC and what it entails.
It's also important to ensure alignment. DMARC works by checking that the domains in your SPF and DKIM records align with the From domain visible to the end-user. If SPF or DKIM pass, but the domains do not align, the email can still fail DMARC. This is a common cause of DMARC failures, even when SPF and DKIM appear correctly set up. For further guidance, consider this resource on troubleshooting DMARC failures.
Implementing BIMI for enhanced brand visibility
BIMI (Brand Indicators for Message Identification) is an emerging standard that allows you to display your brand's logo next to your authenticated emails in supported inboxes. While not directly a deliverability factor, it significantly boosts brand recognition and trust, which can indirectly lead to better engagement and sender reputation over time. The main challenge with BIMI is its stringent requirements.
To implement BIMI, your domain must have a DMARC policy enforced at p=quarantine or p=reject. If your DMARC is still set to p=none, you won't be able to leverage BIMI. Additionally, your logo must be a VMC (Verified Mark Certificate) protected SVG file, a requirement that adds a layer of complexity for many. This is a crucial step in improving your sender reputation.
Ensuring BIMI compliance
DMARC policy: Gradually move your DMARC policy from p=none to p=quarantine or p=reject as you become confident in your authentication setup. This is a prerequisite for BIMI.
VMC requirement: Obtain a Verified Mark Certificate for your logo. This certificate verifies your brand's ownership of the logo and is required by most BIMI-supporting email clients.
SVG format: Ensure your logo is in a properly formatted SVG file that adheres to BIMI specifications. Improper SVG formatting is a common cause of display issues. For more on BIMI's value, check out understanding BIMI's business value.
Addressing IP and domain blacklist issues
IP and domain blacklists (also known as blocklists) are lists maintained by various organizations that track IPs and domains associated with sending spam or malicious email. If your Mailgun IP or sending domain ends up on one, it can severely impact your deliverability. The challenge is knowing which blocklists truly matter. For instance, being listed on UCEPROTECT is often brought up as a concern, but from my experience, it has very little impact on email deliverability for most mainstream mailbox providers, especially if you're not seeing bounces. Major ISPs typically rely on their own internal blocklists and other, more influential public ones.
Monitoring various blocklists is important, but prioritize those that are widely used by mailbox providers. If you find your IP or domain on a critical blacklist (like GooglePostmaster Tools, Spamhaus, or Return Path), prompt action is required. This often involves identifying the root cause of the listing (e.g., sending to spam traps, high complaint rates), stopping the activity, and then following the delisting process of the specific blocklist. For more information, read this in-depth guide to email blacklists.
Key takeaways for reliable email deliverability
In the complex world of email deliverability, resolving issues with Mailgun domain setup, DMARC, DKIM, BIMI, and IP blacklists requires diligence and a proactive approach. Each component plays a vital role in ensuring your emails reach their intended recipients. By systematically addressing configuration issues, interpreting authentication reports, and understanding the nuances of various blacklists, you can significantly improve your email program's performance.
The key is continuous monitoring and adaptation. Email ecosystems are constantly evolving, with new requirements and challenges emerging regularly. Staying informed and routinely auditing your sending practices will not only help you resolve current issues but also prevent future deliverability roadblocks. This will ensure your Mailgun-powered emails remain a reliable channel for communication.
Views from the trenches
Best practices
Always start with basic DNS checks, ensuring all Mailgun-provided records for SPF and DKIM are correctly published.
Implement DMARC gradually, starting with `p=none` to monitor reports before moving to `quarantine` or `reject` policies.
Regularly monitor your DMARC reports for authentication failures and alignment issues; this data is invaluable.
Focus on the most impactful blacklists and blocklists, ignoring less influential ones like UCEPROTECT if no bounce issues occur.
Maintain a clean mailing list to reduce bounces and spam complaints, which directly impact sender reputation.
Use a consistent 'From' address across all your campaigns for brand recognition and better user trust.
Ensure your email content is relevant and valuable to your subscribers to keep engagement high and complaints low.
Common pitfalls
Forgetting the 'mailto:' prefix for RUA or RUF addresses in DMARC records, leading to missed reports.
Having multiple SPF records for a single domain, which can invalidate SPF and cause authentication failures.
Ignoring DMARC aggregate reports, missing critical insights into spoofing attempts and authentication issues.
Panicking over minor blacklistings (e.g., UCEPROTECT) that have minimal impact on major inbox providers.
Not aligning SPF and DKIM domains with the visible 'From' domain in DMARC, leading to policy failures.
Sending to old, unengaged, or purchased lists, which can quickly lead to spam trap hits and blocklistings.
Failing to update DNS records after changing email service providers, causing significant deliverability disruptions.
Expert tips
Perform a full DNS propagation check after any record changes to ensure global visibility and prevent delays.
Leverage DMARC forensic reports (if available) to gain deeper insights into why emails are failing authentication.
Segment your audience and personalize content to improve engagement metrics, which positively influences sender reputation.
Regularly test your email authentication setup using online tools to catch misconfigurations early.
Understand the difference between shared and dedicated IPs for Mailgun, and choose based on your sending volume and reputation needs.
Implement suppression lists for hard bounces and unsubscribes immediately to maintain list hygiene and avoid penalties.
If using a new domain, warm it up gradually by sending small volumes initially and slowly increasing over time.
Expert view
Expert from Email Geeks says that UCEProtect has very little impact and can safely be ignored if you are not seeing any bounces for your emails.
2024-06-01 - Email Geeks
Expert view
Expert from Email Geeks says that your domain might not be sending DMARC reports to your chosen DMARC monitoring service, which is why DMARC results might not be visible.
GooglePostmaster Tools, Spamhaus, or Return Path), prompt action is required. This often involves identifying the root cause of the listing (e.g., sending to spam traps, high complaint rates), stopping the activity, and then following the delisting process of the specific blocklist. For more information, read this in-depth guide to email blacklists.
