DMARC for Postmark: clean DKIM, optional but recommended SPF include

TL;DR

• 1 Two CNAMEs: one for DKIM (########._domainkey), one for Return-Path (pm-bounces).
• 2 SPF include is optional but recommended for redundancy.
• 3 Postmark gives a unique selector per sender signature, not per account.

What it does

Postmark's Sender Signature setup walks you through publishing one DKIM CNAME (########._domainkey, where ######## is a per-signature ID Postmark assigns) and one Return-Path CNAME (pm-bounces.yourdomain → pm.mtasv.net). After both publish and verify, your outbound DKIM signs with d=yourdomain and your bounce address is also at yourdomain — both align.

How it works

1. 1

   In Postmark: Sender Signatures → Add Sender Signature (or use a Confirmed Domain for org-wide signing).

2. 2

   Postmark displays the DKIM CNAME (uses a per-signature ID like 20240101abc._domainkey).

3. 3

   Publish the DKIM CNAME. Optionally also publish the Return-Path CNAME (pm-bounces.yourdomain → pm.mtasv.net) — Postmark recommends this for SPF alignment.

4. 4

   Click Verify Records in Postmark. Both should flip to verified within DNS TTL.

5. 5

   Optionally add 'include:spf.mtasv.net' to your SPF. Adds one lookup but gives you SPF-alignment as a backup to DKIM-alignment.

Common pitfalls

• Confirming a sender signature for jane@yourdomain but trying to send from john@yourdomain. Signatures are per-address unless you use a Confirmed Domain. Switch to domain-wide.

• Skipping the Return-Path CNAME. SPF check fails because envelope-from is pm.mtasv.net — DMARC still passes via DKIM-alignment, but you have no SPF redundancy if DKIM ever breaks (e.g. body modification by a forwarder).

• Rotating DKIM by deleting the Sender Signature in Postmark before deleting the CNAME. Inbound receivers cache your old selector for hours; mail signed during the gap fails DMARC.

• Using the Postmark sandbox API key in production. Sandbox mail does not get DKIM-signed — every test message you send fails DMARC.

Related tools & guides