How To Use Mailgun: Set Up Reliable Transactional Email For WordPress And Ecommerce

How to use Mailgun is usually not the first thing you plan for when you launch a WordPress site, until the day receipts stop landing and password resets vanish. We have watched a WooCommerce store “look fine” while customers quietly failed to get order confirmations. Quick answer: Mailgun gives your site a dedicated, authenticated mail pipeline (SPF, DKIM, and logs) so transactional email sends fast, lands more often, and stays debuggable when something breaks.

What Mailgun Is Best For (And When You Should Not Use It)

Mailgun works best when you care about transactional email deliverability and you want control.

Mailgun sends email through an API or SMTP. That setup helps when WordPress or WooCommerce must send receipts, password resets, form notifications, and support replies. Mailgun also gives you event logs and webhooks, so you can answer the question every operator asks at 9:12 pm: “Did the email actually leave my system?”

Mailgun is not always the right tool.

Use something else when your main need is newsletter marketing with drag-and-drop campaigns, list segmentation, and built-in automations. Mailgun can support marketing, but most non-technical teams feel happier in a suite like Mailchimp.

Transactional Vs Marketing Email: The Split That Keeps You Compliant

Transactional email responds to a user action. A checkout triggers a receipt. A “forgot password” click triggers a reset link. That cause-and-effect matters because regulators and inbox providers treat these messages differently.

Marketing email promotes. Transactional email confirms.

Here is why: a promotional blast increases complaint risk, and complaints hurt sender reputation. A receipt usually lowers complaint risk, because the user expects it. That expectation affects inbox placement.

For compliance, keep this rule in your head:

• Marketing email needs consent and a working unsubscribe flow under laws like CAN-SPAM in the US and GDPR in the EU.
• Transactional email still needs honest headers and lawful processing, but it does not follow the same unsubscribe pattern because the user needs the message to complete the action.

If you mix these two types in one stream, marketing complaints can drag down your receipts. Spam filters do not care that your WooCommerce emails are “important.” They care about reputation.

For background reading, see the CAN-SPAM Act compliance guide from the FTC and Mailgun’s own documentation on sending and deliverability.

Deliverability Basics: Domains, Reputation, And Why “From” Matters

Deliverability comes down to identity and trust.

Your domain sends a signal. Authentication records prove that signal.

• SPF tells inbox providers which servers can send for your domain.
• DKIM signs messages so receivers can verify the message integrity.
• DMARC tells receivers what to do when SPF or DKIM fails.

When you set these up, your domain identity affects inbox placement. When you skip them, your domain identity fails checks, and spam filtering increases.

Also, your “From” name and address train users. A consistent sender reduces confusion. Confusion increases “this is spam” clicks. Spam clicks damage reputation.

Source: Mailgun documentation on domain verification and DNS records: Mailgun Documentation.

Create Your Mailgun Account And Verify Your Sending Domain

Set aside 20 to 40 minutes for first setup. Most of the time goes to DNS propagation, not clicking buttons.

What we do first: we create the account, select the right region (US or EU), and add the sending domain.

Mailgun gives you a “sandbox” domain for early testing, but real-world WordPress email should send from your domain or a subdomain you control.

Steps:

1. Create a Mailgun account.
2. Open Sending settings in the dashboard.
3. Add a domain (often mg.yourdomain.com as a subdomain).
4. Copy the DNS records Mailgun shows you.

Add DNS Records: SPF, DKIM, And Tracking (Step-By-Step Checklist)

DNS is where most teams get stuck, so we treat it like a checklist. You add TXT and CNAME records at your DNS host (Cloudflare, GoDaddy, Route 53, your registrar).

Use this sequence:

1. SPF (TXT): add the value Mailgun provides. It usually includes include:mailgun.org.
2. DKIM (TXT): add the selector record Mailgun provides.
3. Tracking (CNAME): add the CNAME record if you want Mailgun’s open and click tracking.
4. DMARC (TXT): start with a monitoring policy.

A safe starter DMARC record looks like this:

• Host: _dmarc
• Value: v=DMARC1: p=none

That record tells receivers to monitor, not reject. You can tighten policy later.

Mailgun says verification can take time because DNS needs to propagate. Plan for up to 48 hours.

Source: Mailgun domain verification docs: Mailgun Documentation.

Choose A Sending Setup: Sandbox, Subdomain, Or Dedicated Domain

Pick the setup that matches your risk and volume.

• Sandbox: good for early testing. It caps volume and limits flexibility.
• Subdomain (recommended for most businesses): send from mg.yourdomain.com. This isolates reputation. If marketing goes sideways, it does not automatically poison your root domain.
• Dedicated IP: useful at higher volume or stricter control needs. It takes warmup work.

We usually start with a subdomain and shared IP, then move up only when volume or compliance requirements demand it. Start small. Measure delivery. Expand.

Connect Mailgun To WordPress (Safe Defaults First)

WordPress does not “send email.” WordPress hands email to a server. If that server uses PHP mail on cheap hosting, deliverability drops.

Mailgun becomes the mail server. WordPress becomes the trigger.

We recommend you start with SMTP because it is easy to roll back. Then you switch to API sending if you need higher reliability or richer event data.

If you want a broader WordPress email baseline, we also keep a guide on WordPress email not sending troubleshooting (and yes, we can help you pick the right plugin stack).

Option A: SMTP Plugin Setup (Most Common For WordPress)

This path works for most WordPress and WooCommerce sites.

Steps:

1. Install an SMTP plugin. Many teams use FluentSMTP or WP Mail SMTP.
2. Set the SMTP host to smtp.mailgun.org.
3. Set the port to 587 (TLS) unless your host requires 465.
4. Use your Mailgun SMTP username and password (Mailgun shows these in the dashboard).
5. Set the “From Email” to an address on your verified domain.

Then send a test email from the plugin.

Cause-and-effect to watch: a mismatched “From” domain causes authentication failures. Authentication failures cause spam placement.

Source: Mailgun SMTP and sending docs: Mailgun Documentation.

Option B: API-Based Sending (More Reliable, Slightly More Technical)

API sending avoids a few SMTP edge cases and makes event tracking cleaner.

This approach fits you when:

• you want structured logs and webhooks,
• you run higher email volume,
• you want fewer moving parts inside WordPress.

You can use Mailgun’s official libraries, or you can use a WordPress plugin that supports Mailgun API keys.

Guardrail we use: we store API keys in server environment variables when possible. Keys in wp-config.php beat keys in a random notes doc.

Source: Mailgun API docs: Mailgun Documentation.

Configure Mailgun For WooCommerce And Site Notifications

Once Mailgun connects, you want to map which messages matter. Most stores do not fail on big campaigns. They fail on small, critical emails.

WooCommerce triggers receipts, failed payment alerts, refund notices, and “new order” admin emails. WordPress triggers password resets and account changes. Your forms trigger lead notifications.

When Mailgun handles these triggers, your store reduces “silent failure.” Silent failure hurts revenue because customers do not trust a checkout that never confirms.

If you are building out the full commerce stack, our WooCommerce development services and WordPress maintenance services usually bundle this setup with testing and logging.

Map Your Critical Emails: Orders, Password Resets, Forms, And Support

We write this list before we change anything. It becomes the acceptance test.

Common critical emails:

• Order placed: customer confirmation + admin notification
• Payment failed: customer prompt + internal alert
• Shipping update: customer message
• Password reset: customer message with reset link
• Contact form: customer copy + internal notification
• Support: ticket created + replies

Next steps: send one of each email to real inboxes (Gmail, Outlook, iCloud). Save the headers.

Add Guardrails: “Reply-To” Routing, Sender Names, And Template Consistency

Guardrails keep you from waking up to chaos.

• Set a clear Reply-To address. Replies should land in a monitored inbox or help desk.
• Keep sender names consistent. “Zuleika Billing” should not become “No-Reply 14.”
• Use consistent templates for transactional email. Consistency trains users and reduces spam complaints.

Mailgun routing can forward or store inbound replies when you want more control.

Source: Mailgun routing and receiving docs: Mailgun Documentation.

Test, Monitor, And Debug Deliverability

We treat deliverability like a production system, not a one-time checkbox.

You want proof for three questions:

1. Did WordPress generate the email?
2. Did Mailgun accept and send the email?
3. Did the inbox provider accept and place the email?

Mailgun helps with question #2. Headers help with question #3.

Send Test Messages And Verify Headers (SPF/DKIM Pass)

Send tests to:

• a Gmail inbox
• an Outlook or Microsoft 365 inbox
• an iCloud inbox

Open the message headers and check:

• SPF: PASS
• DKIM: PASS
• DMARC: PASS (or at least “aligned”)

If SPF fails, DNS causes the failure most of the time. If DKIM fails, a TXT record is missing or wrong. If DMARC fails, alignment often breaks because the visible “From” domain does not match authenticated domains.

Google explains how authentication affects Gmail delivery in its sender guidance. Source: Google Workspace Admin Help: Email sender guidelines.

Use Logs, Events, And Webhooks To Track Bounces, Blocks, And Complaints

Mailgun logs show event history like delivered, bounced, dropped, and complained.

This is where the cause-and-effect gets practical:

• A high bounce rate hurts domain reputation.
• A high complaint rate hurts domain reputation faster.
• A poor reputation reduces inbox placement for future mail.

Set up webhooks if you have a system that can receive them (a small app, a CRM, or a no-code tool). Webhooks let Mailgun push events into your workflow.

We often connect these events to alerts. A bounce spike should page someone. A complaint spike should pause marketing sends until you fix the root cause.

Source: Mailgun events and webhooks docs: Mailgun Documentation.

Security, Privacy, And Governance For Real Businesses

Email pipelines touch personal data. That includes names, email addresses, order details, and sometimes health or legal context. You need rules.

Mailgun supports US and EU regions, and it publishes security and compliance information. Still, your workflow decisions decide your risk.

If you work in healthcare, law, finance, or education, keep humans in the loop for anything sensitive. Do not paste patient details or legal strategy into places that do not need it.

Source: Mailgun security and compliance materials: Mailgun Trust Center.

Data Minimization And Sensitive Content Rules (Especially Regulated Teams)

Data minimization reduces damage when something leaks.

We use these rules:

• Do not put sensitive content in email when a portal link can do the job.
• Keep receipts short. Put details behind an authenticated account page.
• Avoid sending full medical, legal, or financial records by email.

A simple example: a clinic appointment email can confirm time and location, but it should not include diagnosis text.

For GDPR framing on data minimization, see the EU regulator guidance. Source: EDPB Guidelines on GDPR principles.

Access Control, API Key Hygiene, And Audit Trails

Treat Mailgun keys like passwords.

• Limit who can view and rotate API keys.
• Rotate keys on staff changes.
• Store secrets in a password manager or environment variables.
• Log changes. A log creates accountability, and accountability reduces “mystery outages.”

If you run WordPress for clients, separate staging from production. A staging site should not send real customer email.

Conclusion

Mailgun shines when you want transactional email that you can trust, test, and explain to your team. If you want the safest path, start with a subdomain, set SPF and DKIM, connect WordPress by SMTP, and run tests in real inboxes. Then add logs and webhooks so you can spot bounces and blocks before customers do.

If you want us to review your current setup, we can. We usually start with a quick workflow map (trigger, input, job, output, guardrails) and a small pilot that you can roll back in minutes.

Frequently Asked Questions

How to use Mailgun with WordPress for reliable transactional email?

To use Mailgun with WordPress, first verify a sending domain in Mailgun and add SPF/DKIM DNS records. Then connect WordPress via an SMTP plugin (host: smtp.mailgun.org, port 587 TLS) or use the Mailgun API. Send test emails and confirm SPF/DKIM/DMARC pass in headers.

What is Mailgun best for, and when should I not use it?

Mailgun is best for transactional email deliverability—receipts, password resets, form notifications, and support replies—because it provides authenticated sending plus logs and webhooks. It’s usually not ideal as a primary newsletter platform for non-technical teams who need drag-and-drop campaigns, segmentation, and automations.

Why do SPF, DKIM, and DMARC matter when learning how to use Mailgun?

SPF, DKIM, and DMARC prove your domain is allowed to send and that messages weren’t altered in transit. Without them, inbox providers are more likely to treat mail as suspicious and place it in spam. DMARC also tells receivers what to do when authentication fails and helps prevent spoofing.

Should I send from a Mailgun subdomain like mg.yourdomain.com or my root domain?

A subdomain (for example, mg.yourdomain.com) is recommended for most businesses because it isolates sending reputation. If marketing mail triggers complaints or bounces, it’s less likely to drag down deliverability for your main domain. Root-domain sending can work, but it concentrates risk in one identity.

What’s the difference between transactional vs marketing email, and does it affect compliance?

Transactional email is triggered by a user action (order receipt, password reset) and is expected by the recipient. Marketing email promotes and typically requires consent plus a working unsubscribe flow under laws like CAN-SPAM and GDPR. Mixing marketing and transactional streams can increase complaints and hurt receipt deliverability.

How do I troubleshoot Mailgun deliverability issues like bounces, blocks, or missing WooCommerce emails?

Debug in three steps: confirm WordPress generated the email, confirm Mailgun accepted/sent it (logs/events), then check inbox placement via message headers. Fix SPF/DKIM DNS errors first, then DMARC alignment and “From” domain mismatches. Monitor bounce/complaint spikes and use webhooks for alerts and faster response.