Postmark SPF and DKIM setup

What you are setting up

Postmark sends your transactional mail (receipts, password resets) and is built around DKIM. You verify your domain, publish one DKIM record so Postmark signs with your domain, and add one Return-Path CNAME so SPF lines up too. The thing that confuses people most is what you do notdo: you do not add an SPF record to your domain, and you will likely see an “SPF fail” in your DMARC reports that is completely fine. Both explained below.

Verify your domain and publish DKIM

In Postmark, open the Sender Signatures tab and add your domain (a domain lets you send from any address at it; a single Sender Signature only authorizes one specific address). Open the domain's DNS Settings to see the DKIM record:

Type:  TXT
Host:  <selector>pm._domainkey.yourdomain.com
Value: v=DKIM1; k=rsa; p=MIGfMA0GCSq... (the key Postmark shows you)

Postmark's DKIM selector is date-based and assigned per key (something like 2026...pm._domainkey), and it changes when you rotate, so copy the exact host and value from your DNS Settings rather than hardcoding one. Postmark issues managed 1024-bit keys and recommends rotating roughly quarterly; when you rotate, it keeps the old key live for a few days so nothing breaks mid-flight. DKIM signs with d=yourdomain.com, which aligns, so this record alone is enough for Postmark mail to pass DMARC.

Add the Return-Path CNAME (so SPF aligns too)

Add one CNAME for a custom Return-Path:

Type:  CNAME
Host:  pm-bounces.yourdomain.com
Value: pm.mtasv.net

This points your Return-Path at Postmark, which makes the bounce address a subdomain of yours and lets SPF align to your domain. It is not strictly required (DKIM already carries DMARC), but it is recommended: with it, your mail aligns on both SPF and DKIM.

Do you need an SPF record? No.

Postmark deliberately removed the SPF requirement, because inbox providers check SPF against the Return-Path, not your from address. Postmark's sending IPs are covered by SPF on its own return-path domain, so your mail passes SPF without you adding anything. Do not paste a Postmark include into your SPF record; it is unnecessary and just spends one of your ten lookups.

Add DMARC

Standard _dmarc TXT record. Start in monitor-only mode:

Type:  TXT
Host:  _dmarc
Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Postmark also runs a free DMARC monitoring tool at dmarc.postmarkapp.com that emails you a weekly digest; it is separate from this setup. Build your record with our DMARC builder and progress past p=none when reports are clean.

The Postmark gotcha

The classic confusion: you check your DMARC reports, see Postmark mail marked SPF fail, and panic. That is expected and harmless. If you skipped the Return-Path CNAME, Postmark's mail uses its own return-path, so SPF authenticates for Postmark but does not align to your domain, which reads as a fail in the SPF column. DMARC still passes, because DKIM aligns. If you want the SPF column green too, add the pm-bounces CNAME above. Either way, do not weaken your DMARC policy over it.

Confirm it worked

• Verify in Postmark.The domain's DNS Settings show DKIM (and Return-Path) as verified once the records resolve.
• Send a test and read the headers. Trigger a real send, open the message, and confirm d=yourdomain.com on the DKIM signature and dmarc=pass. Our header analyzer spells it out.
• Watch the reports. Postmark should pass DMARC via aligned DKIM. In trustyourinbox it is labeled a known sender, and the source view tells the harmless SPF-alignment quirk apart from a real failure.