Ghost newsletter going to spam — fix SPF, DKIM & DMARC (Mailgun)

Your Ghost newsletter lands in Gmail spam even though your site's own email seems fine.

Check your domain first — 10 seconds, free, no signup.
See your DMARC policy, SPF lookup count and every issue explained in plain English.
Run the free check →

What this means

Ghost runs two independent email systems, and that's the trap. Bulk newsletters go out only through Mailgun's API — there is no SMTP option and no other provider you can plug in — while transactional/magic-link mail uses a separate configuration. So authenticating your main domain does nothing for the newsletter: the newsletter's sending domain is typically a mg. subdomain on Mailgun, and it's that subdomain that needs SPF, DKIM and an aligned DMARC to reach the inbox. Source: Ghost Docs — Why do I have to set up Mailgun? · verified 2026-07-18.

What to do about it

Step 1. Find the sending subdomain Mailgun uses for your newsletter (usually mg.yourdomain.com) — that's the one to authenticate.
Step 2. Add Mailgun's SPF, DKIM and (recommended) DMARC records on that mg. subdomain, not just your root domain.
Step 3. Keep the newsletter subdomain separate from your main mail so its reputation is independent.
Step 4. Run the free check below against your domain to see which senders currently pass.

Frequently asked

Will adding these records break the email I already send?

No. Adding SPF includes and DKIM records (whether TXT or CNAME) only adds authentication — it never blocks mail. The only step that can affect delivery is tightening your DMARC policy to quarantine or reject, and that comes later, once reports confirm every legitimate sender passes.

The platform says it “handles DMARC” — do I still need my own record?

Yes. Most platforms handle DKIM (and sometimes SPF) so their mail can pass, but the DMARC record is published on your own domain and controlled by you — it's what tells receivers to act on failures. Providers rarely publish it for you, and you want your own rua= address to see the reports.

How do I confirm it actually worked?

Send yourself a test message and check the headers for dkim=pass and dmarc=pass — or run the free check below on your domain to see SPF, DKIM and DMARC state, and which sending services currently align, in one place.

Don't want to babysit DNS records?
DMARCKeeper monitors your reports, names every sender, and walks you to full p=reject protection.
Start free monitoring →