Skip to main content
How-to DMARC Postmark

SPF, DKIM, and DMARC for Postmark: complete setup guide

A complete walkthrough for authenticating Postmark. Postmark gives you DKIM CNAME delegation and a Return-Path CNAME so both DKIM and the envelope-from align with your domain. It is one of the cleanest ESP setups; the SPF step is via the return-path, not an apex include.

TL;DR

  • 1 SPF: publish the Return-Path CNAME (pm-bounces.yourdomain -> pm.mtasv.net) so the envelope-from resolves to Postmark's SPF and aligns. No apex SPF include needed.
  • 2 DKIM: publish the per-domain DKIM CNAME Postmark shows you, or mail signs with postmarkapp.com and never aligns.
  • 3 DMARC: start at p=none with rua, watch reports, then ramp to p=quarantine and p=reject.

What it does

This guide authenticates Postmark against your domain. Postmark's Sender Signature / domain setup walks you through publishing one DKIM CNAME and one Return-Path CNAME (pm-bounces.yourdomain -> pm.mtasv.net). After both publish and verify, your outbound DKIM signs with d=yourdomain and your bounce address is also at yourdomain, so both DKIM and SPF align.

Postmark assigns a unique DKIM selector per confirmed domain rather than a fixed one, so the selector string in your CNAME is specific to your account. The setup is otherwise CNAME-only, with no key text to paste.

Step 1: Set up SPF for Postmark

Postmark aligns SPF through a Return-Path (bounce) CNAME on your domain rather than an apex SPF include. The CNAME makes the envelope-from resolve to Postmark's own SPF, so SPF aligns without consuming an apex lookup.

  1. 1

    Publish the Return-Path CNAME Postmark provides: pm-bounces.yourdomain -> pm.mtasv.net.

  2. 2

    Do not add include:spf.mtasv.net to your apex SPF. The return-path CNAME handles SPF alignment, and DKIM alignment is the primary path anyway.

  3. 3

    Leave your existing apex SPF for your mailbox provider untouched.

pm-bounces.yourdomain CNAME Click to select
pm-bounces.yourdomain CNAME pm.mtasv.net

Skipping the Return-Path CNAME means SPF fails (the envelope-from is pm.mtasv.net), but DMARC still passes via DKIM alignment. Publishing it gives you a second authenticated path in case a forwarder ever breaks DKIM.

Step 2: Set up DKIM for Postmark

Postmark uses a per-domain DKIM CNAME with an account-specific selector. You publish the CNAME Postmark shows; Postmark hosts the key under postmarkapp.com. The selector is a string Postmark assigns, not a fixed name.

Selector: <selector>._domainkey, where <selector> is the per-domain value Postmark assigns

  1. 1

    In Postmark, set up a Confirmed Domain (Sender Signatures -> Domains) for org-wide signing rather than a per-address Sender Signature. (Confirm the current menu path in your Postmark account.)

  2. 2

    Postmark displays the DKIM CNAME using your domain's assigned selector, for example <selector>._domainkey.yourdomain -> <selector>.dkim.postmarkapp.com.

  3. 3

    Publish the DKIM CNAME exactly as shown.

  4. 4

    Click Verify in Postmark. The record flips to verified within the DNS TTL.

  5. 5

    Verify with the DKIM checker against the selector Postmark assigned.

<selector>._domainkey.yourdomain CNAME Click to select
<selector>._domainkey.yourdomain CNAME <selector>.dkim.postmarkapp.com

Replace <selector> with the value Postmark shows (it is unique to your domain). Use a Confirmed Domain, not a single Sender Signature, so any address at your domain signs.

Step 3: Publish DMARC

  1. 1

    With the DKIM and Return-Path CNAMEs verified, publish your DMARC record at _dmarc.yourdomain. Start at p=none so receivers report but take no action.

  2. 2

    Add a rua address to collect daily aggregate reports.

  3. 3

    Watch the reports for a couple of weeks. Confirm Postmark mail passes with d=yourdomain.

  4. 4

    Move to p=quarantine, then p=reject once the only remaining failures are unknown or spoofed sources. See the DMARC rollout playbook for the full ramp.

Example record

_dmarc.yourdomain.com TXT Click to select
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; fo=1

Common pitfalls

  • Confirming a sender signature for jane@yourdomain but trying to send from john@yourdomain. Signatures are per-address unless you use a Confirmed Domain. Switch to domain-wide.

  • Skipping the Return-Path CNAME. SPF check fails because envelope-from is pm.mtasv.net. DMARC still passes via DKIM-alignment, but you have no SPF redundancy if DKIM ever breaks (e.g. body modification by a forwarder).

  • Rotating DKIM by deleting the Sender Signature in Postmark before deleting the CNAME. Inbound receivers cache your old selector for hours; mail signed during the gap fails DMARC.

  • Using the Postmark sandbox API key in production. Sandbox mail does not get DKIM-signed. Every test message you send fails DMARC.

FAQ

Do I need an SPF include for Postmark?

No apex include is needed. Postmark aligns SPF through a Return-Path CNAME (pm-bounces.yourdomain -> pm.mtasv.net) that makes the envelope-from resolve to Postmark's SPF. DKIM alignment is the primary path; the return-path CNAME adds SPF as a backup.

What DKIM selector does Postmark use?

Postmark assigns a unique selector per confirmed domain rather than a fixed name. You publish a CNAME at <selector>._domainkey.yourdomain pointing to <selector>.dkim.postmarkapp.com, using the exact selector string Postmark shows.

Why does Postmark mail fail DMARC after setup?

Usually because you confirmed a single Sender Signature for one address and are sending from another, or you are using a sandbox API key (sandbox mail is not DKIM-signed). Use a Confirmed Domain and a live API key.

Should I use a Sender Signature or a Confirmed Domain?

Use a Confirmed Domain. A Sender Signature only authenticates one address, while a Confirmed Domain signs every address at your domain, which is what DMARC alignment needs.