SPF, DKIM, and DMARC for Postmark: complete setup guide
A complete walkthrough for authenticating Postmark. Postmark gives you DKIM CNAME delegation and a Return-Path CNAME so both DKIM and the envelope-from align with your domain. It is one of the cleanest ESP setups; the SPF step is via the return-path, not an apex include.
TL;DR
- 1 SPF: publish the Return-Path CNAME (pm-bounces.yourdomain -> pm.mtasv.net) so the envelope-from resolves to Postmark's SPF and aligns. No apex SPF include needed.
- 2 DKIM: publish the per-domain DKIM CNAME Postmark shows you, or mail signs with postmarkapp.com and never aligns.
- 3 DMARC: start at p=none with rua, watch reports, then ramp to p=quarantine and p=reject.
What it does
This guide authenticates Postmark against your domain. Postmark's Sender Signature / domain setup walks you through publishing one DKIM CNAME and one Return-Path CNAME (pm-bounces.yourdomain -> pm.mtasv.net). After both publish and verify, your outbound DKIM signs with d=yourdomain and your bounce address is also at yourdomain, so both DKIM and SPF align.
Postmark assigns a unique DKIM selector per confirmed domain rather than a fixed one, so the selector string in your CNAME is specific to your account. The setup is otherwise CNAME-only, with no key text to paste.
Step 1: Set up SPF for Postmark
Postmark aligns SPF through a Return-Path (bounce) CNAME on your domain rather than an apex SPF include. The CNAME makes the envelope-from resolve to Postmark's own SPF, so SPF aligns without consuming an apex lookup.
-
1
Publish the Return-Path CNAME Postmark provides: pm-bounces.yourdomain -> pm.mtasv.net.
-
2
Do not add include:spf.mtasv.net to your apex SPF. The return-path CNAME handles SPF alignment, and DKIM alignment is the primary path anyway.
-
3
Leave your existing apex SPF for your mailbox provider untouched.
Skipping the Return-Path CNAME means SPF fails (the envelope-from is pm.mtasv.net), but DMARC still passes via DKIM alignment. Publishing it gives you a second authenticated path in case a forwarder ever breaks DKIM.
Step 2: Set up DKIM for Postmark
Postmark uses a per-domain DKIM CNAME with an account-specific selector. You publish the CNAME Postmark shows; Postmark hosts the key under postmarkapp.com. The selector is a string Postmark assigns, not a fixed name.
Selector: <selector>._domainkey, where <selector> is the per-domain value Postmark assigns
-
1
In Postmark, set up a Confirmed Domain (Sender Signatures -> Domains) for org-wide signing rather than a per-address Sender Signature. (Confirm the current menu path in your Postmark account.)
-
2
Postmark displays the DKIM CNAME using your domain's assigned selector, for example <selector>._domainkey.yourdomain -> <selector>.dkim.postmarkapp.com.
-
3
Publish the DKIM CNAME exactly as shown.
-
4
Click Verify in Postmark. The record flips to verified within the DNS TTL.
-
5
Verify with the DKIM checker against the selector Postmark assigned.
Replace <selector> with the value Postmark shows (it is unique to your domain). Use a Confirmed Domain, not a single Sender Signature, so any address at your domain signs.
Step 3: Publish DMARC
-
1
With the DKIM and Return-Path CNAMEs verified, publish your DMARC record at _dmarc.yourdomain. Start at p=none so receivers report but take no action.
-
2
Add a rua address to collect daily aggregate reports.
-
3
Watch the reports for a couple of weeks. Confirm Postmark mail passes with d=yourdomain.
-
4
Move to p=quarantine, then p=reject once the only remaining failures are unknown or spoofed sources. See the DMARC rollout playbook for the full ramp.
Example record
Common pitfalls
-
Confirming a sender signature for jane@yourdomain but trying to send from john@yourdomain. Signatures are per-address unless you use a Confirmed Domain. Switch to domain-wide.
-
Skipping the Return-Path CNAME. SPF check fails because envelope-from is pm.mtasv.net. DMARC still passes via DKIM-alignment, but you have no SPF redundancy if DKIM ever breaks (e.g. body modification by a forwarder).
-
Rotating DKIM by deleting the Sender Signature in Postmark before deleting the CNAME. Inbound receivers cache your old selector for hours; mail signed during the gap fails DMARC.
-
Using the Postmark sandbox API key in production. Sandbox mail does not get DKIM-signed. Every test message you send fails DMARC.
FAQ
Do I need an SPF include for Postmark?▾
No apex include is needed. Postmark aligns SPF through a Return-Path CNAME (pm-bounces.yourdomain -> pm.mtasv.net) that makes the envelope-from resolve to Postmark's SPF. DKIM alignment is the primary path; the return-path CNAME adds SPF as a backup.
What DKIM selector does Postmark use?▾
Postmark assigns a unique selector per confirmed domain rather than a fixed name. You publish a CNAME at <selector>._domainkey.yourdomain pointing to <selector>.dkim.postmarkapp.com, using the exact selector string Postmark shows.
Why does Postmark mail fail DMARC after setup?▾
Usually because you confirmed a single Sender Signature for one address and are sending from another, or you are using a sandbox API key (sandbox mail is not DKIM-signed). Use a Confirmed Domain and a live API key.
Should I use a Sender Signature or a Confirmed Domain?▾
Use a Confirmed Domain. A Sender Signature only authenticates one address, while a Confirmed Domain signs every address at your domain, which is what DMARC alignment needs.