← Blog
Set Up DKIM and DMARC for Postmark

By DMARCdrift Team

Set Up DKIM and DMARC for Postmark

5 min readdmarcdkimspfemail-authenticationsetup-guideemail-deliverability

To set up DKIM and DMARC for Postmark: create a domain-level Sender Signature in the Postmark dashboard, add the DKIM TXT record and Return-Path CNAME to your DNS, include spf.mtasv.net in your SPF record, then add a _dmarc TXT record pointing to your reporting address. That covers the full authentication chain. For broader context on getting email right on a new domain, see our email setup guide for new SaaS.

This guide walks through each step in order, with the exact DNS records to add and how to verify everything is working.

What Postmark uses: Sender Signatures

Postmark's authentication model revolves around Sender Signatures. A Sender Signature ties a From address (or an entire domain) to your Postmark account and enables DKIM signing on outbound mail.

You have two options:

  1. Address-level: Create a sender signature for noreply@yourdomain.com, hello@yourdomain.com, etc. Only mail from those addresses gets DKIM-signed.
  2. Domain-level: Create a sender signature for yourdomain.com. Every address on that domain gets signed: noreply@yourdomain.com, support@yourdomain.com, anything. This is simpler at scale.

For most applications, a domain-level sender signature is cleaner.

Step 1: Add a domain sender signature

Log into your Postmark account and go to Sender Signatures. Click Add Sender Signature and select Domain.

Enter your domain (e.g., yourdomain.com). Postmark will generate three pieces of DNS configuration:

  1. A DKIM TXT record at pm._domainkey.yourdomain.com
  2. A Return-Path CNAME at pm-bounces.yourdomain.com pointing to pm.mtasv.net
  3. A verification record (usually a TXT record) to confirm you own the domain

Copy each of these and add them to your DNS provider. If you're using Route53, Cloudflare, or another managed provider, paste the records into their DNS editor.

Step 2: Add the DKIM record

The DKIM record Postmark provides is a TXT record at pm._domainkey.yourdomain.com. It looks like:

pm._domainkey.yourdomain.com TXT "v=DKIM1; h=sha256; p=MIGfMA0GCSq..."

Add this exactly as Postmark shows it. If your DNS provider breaks long TXT records into chunks, that's fine; just paste the whole thing and let the provider handle the formatting.

This record proves to receiving mailservers that Postmark is authorized to sign mail for your domain. (New to how this signing works? Our explainer on what DKIM is covers the mechanics.)

Step 3: Add the Return-Path CNAME

The Return-Path CNAME is:

pm-bounces.yourdomain.com CNAME pm.mtasv.net

This tells receiving mailservers where to send bounce notifications and sets the envelope sender (the SMTP MAIL FROM address) to your domain. Bounces will go to Postmark's infrastructure but appear to come from your domain, which enables SPF alignment and improves deliverability.

Step 4: Configure SPF

If you don't already have an SPF record, create one:

yourdomain.com TXT "v=spf1 include:spf.mtasv.net ~all"

If you already have SPF (because you're using another email service or have existing mail infrastructure), add Postmark's include to your existing record:

yourdomain.com TXT "v=spf1 include:spf.google.com include:spf.mtasv.net ~all"

The order of includes doesn't matter. The ~all (softfail) or -all (fail) at the end stays the same. Just insert include:spf.mtasv.net before the final mechanism.

SPF prevents spoofing by declaring which servers are authorized to send mail from your domain. Postmark's SPF record covers their entire sending infrastructure, so any mail from Postmark will pass the SPF check.

Step 5: Verify in Postmark

Back in the Postmark dashboard, click Verify next to your sender signature. Postmark checks that:

  1. The DKIM TXT record exists and is correct
  2. The Return-Path CNAME points to the right place

Both should show green checkmarks within a few seconds. If not, double-check that the records are exactly as Postmark specified and that your DNS changes have propagated (usually instant, but can take a few minutes). You can confirm the records resolve independently with our email authentication checker.

Once verified, Postmark will sign all outbound mail from your domain with DKIM.

Step 6: Add a DMARC record

Now that DKIM is aligned, add a DMARC record at _dmarc.yourdomain.com:

_dmarc.yourdomain.com TXT "v=DMARC1; p=none; rua=mailto:d-{domain_id}@in.dmarcdrift.com"

Replace {domain_id} with your actual DMARCdrift domain ID (you'll get this when you sign up).

Start with p=none so you can monitor mail without rejecting anything. Postmark will send reports to your rua= address whenever your domain receives mail (whether it passes or fails DMARC checks).

If you're not using DMARCdrift yet, you can set a different rua= address (like your own email) to collect reports manually. But parsing gzipped XML aggregate reports by hand is tedious; that's what DMARCdrift solves.

Test: Send and check headers

Send a test email via your Postmark account or API:

curl https://api.postmarkapp.com/email \
  -X POST \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -H "X-Postmark-Server-Token: YOUR_TOKEN" \
  -d '{
    "From": "noreply@yourdomain.com",
    "To": "you@example.com",
    "Subject": "Test",
    "TextBody": "Test email"
  }'

Open the email and view the full headers. Look for the Authentication-Results header:

Authentication-Results: mx.google.com;
  dkim=pass (2048-bit key; unprotected) header.d=yourdomain.com header.s=pm header.b="...";
  spf=pass (google.com: domain of noreply@yourdomain.com designates pm.mtasv.net as permitted sender) ...

The critical parts:

  • dkim=pass with header.d=yourdomain.com (not pm.mtasv.net): alignment success
  • spf=pass: your SPF record is working

If you see dkim=fail or the header.d doesn't match your domain, double-check that the DKIM TXT record was added correctly and that DNS has propagated.

Transactional vs. broadcast

Postmark supports both transactional (triggered, single recipient) and broadcast (marketing, bulk) sending. The authentication setup is identical for both streams. You don't need separate sender signatures or DNS records; one Postmark account, one domain, one DKIM key.

Next: Monitor with DMARC reports

Once your DMARC record is live, aggregate reports will start arriving within 24-48 hours. DMARCdrift turns the XML into a readable digest, free for one domain.

Get started free →