D
DMARC Creator

How to Set Up DMARC for Postmark: Configuration and Alignment Guide

Configure DMARC for Postmark with proper SPF and DKIM alignment. Covers sender signatures, domain verification, and troubleshooting.

Last updated: 2026-04-29

Postmark is a transactional email service known for its focus on deliverability, developer-friendly API, and strict anti-spam policies. If you send email through Postmark using your own domain, configuring DMARC is essential for protecting your domain from spoofing, maintaining your sender reputation, and meeting the authentication requirements that Google, Yahoo, and other inbox providers now enforce.

This guide covers DMARC configuration specifically for Postmark users, with a focus on the SPF and DKIM alignment details that determine whether your messages pass or fail DMARC checks.

How Postmark Handles Email Authentication

Postmark offers two levels of sender verification: Sender Signatures and Domains. Understanding the difference is important because only full domain verification gives you the authentication setup you need for DMARC alignment.

Sender Signatures vs. Domain Verification

A Sender Signature verifies a single email address. It confirms you own that address, but it does not configure DKIM or a custom Return-Path for your domain. This is fine for getting started, but it is not sufficient for DMARC.

Domain verification is what you need. When you verify a full domain in Postmark, the platform provides DNS records that enable both DKIM signing and a custom Return-Path subdomain. This is the foundation for DMARC compliance.

DKIM Signing

When you verify a domain, Postmark provides a single DKIM CNAME record to publish in your DNS. This record points to Postmark's DKIM key infrastructure, and Postmark uses it to sign every outgoing message with a 1024-bit or 2048-bit key tied to your domain. Unlike some providers that require two CNAME records, Postmark keeps this simple with just one.

The DKIM CNAME is typically published at a hostname like <selector>._domainkey.yourdomain.com, where the selector is a value Postmark assigns during verification.

SPF and the Custom Return-Path

Postmark handles SPF through a custom Return-Path subdomain rather than asking you to modify your domain's SPF record directly. During domain verification, Postmark provides a CNAME record that creates a subdomain like pm-bounces.yourdomain.com. This subdomain points to Postmark's infrastructure, and Postmark uses it as the envelope sender (Return-Path) for messages sent from your domain.

When a receiving server checks SPF, it evaluates the Return-Path domain (pm-bounces.yourdomain.com), resolves the CNAME, and finds Postmark's SPF records. SPF passes because the sending IP is authorized for that subdomain.

Domain verification in Postmark is required for DMARC compliance. Go to Sender Signatures in your Postmark dashboard, click Add Domain, and follow the prompts to verify your full domain. Both the DKIM CNAME and Return-Path CNAME must be published and verified before proceeding.

Understanding SPF and DKIM Alignment with Postmark

DMARC requires that at least one of SPF or DKIM "aligns" with the domain in the visible From header. Alignment means the authenticated domain matches the From domain. For a detailed comparison of how these protocols work together, see SPF vs DKIM vs DMARC.

DKIM Alignment

When Postmark signs your messages with DKIM using your verified domain (e.g., yourdomain.com), and your From address is hello@yourdomain.com, DKIM alignment passes because the signing domain matches the From domain.

DKIM alignment is the most reliable method for Postmark users. DKIM signatures survive forwarding, so messages forwarded from one inbox to another will still pass DMARC through DKIM alignment even after the envelope sender changes.

SPF Alignment and the Return-Path Subdomain

SPF alignment depends on the envelope sender (Return-Path), not the From address. Postmark sets the Return-Path to its custom subdomain, like pm-bounces.yourdomain.com. SPF passes for this subdomain because the CNAME resolves to Postmark's infrastructure.

For DMARC SPF alignment under relaxed mode (the default), the envelope sender subdomain just needs to share the same organizational domain as the From address. Since pm-bounces.yourdomain.com and yourdomain.com share the same root domain, relaxed SPF alignment passes.

Under strict alignment (aspf=s), the envelope sender must exactly match the From domain. In that case, pm-bounces.yourdomain.com would not align with yourdomain.com. For most Postmark users, relaxed alignment is the right choice.

Rely on DKIM as your primary alignment mechanism with Postmark. It is more resilient than SPF because it is not affected by forwarding or envelope sender routing.

Setting Up Your DMARC Record

With Postmark's domain verification complete and both DKIM and the custom Return-Path confirmed, you are ready to publish your DMARC record.

1

Confirm Postmark domain verification is complete

In your Postmark dashboard, go to Sender Signatures and select your domain. Verify that both the DKIM CNAME record and the Return-Path CNAME record show as verified. If either is pending, fix the DNS records before proceeding.

2

Generate your DMARC record

Start with a monitoring-only policy: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100;. This collects aggregate reports without affecting delivery, so you can confirm all your sending sources pass before enforcing anything.

3

Add the DMARC record to your DNS

Log in to your DNS provider and create a new TXT record. Set the name to _dmarc (the full hostname will be _dmarc.yourdomain.com) and set the value to your DMARC record string.

4

Save and wait for propagation

Save the record. DNS propagation typically takes a few minutes to a couple of hours. You can check propagation by querying your domain periodically.

5

Verify the record

Check your record at dmarcrecordchecker.com. Confirm it is valid, displays the correct policy, and includes your reporting address.

Create your DMARC record

Use our free DMARC generator to build a valid record for your domain.

Generate DMARC Record

Recommended DMARC Record for Postmark Users

For most Postmark users, this starting record works well:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; adkim=r; aspf=r; pct=100;

The adkim=r and aspf=r tags explicitly set relaxed alignment for both DKIM and SPF. While relaxed is the default, including them makes your configuration clear and avoids ambiguity.

After monitoring with p=none for at least two weeks and confirming all legitimate sources pass, progressively move toward enforcement:

Soft enforcement: v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=25;

Full enforcement: v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; pct=100;

For more details on the progression from monitoring to enforcement, see our guide on DMARC policy levels.

Troubleshooting Postmark DMARC Alignment Failures

DKIM Alignment Failing

If your DMARC reports show DKIM failures for messages sent through Postmark, check:

  • Domain verification is complete. In your Postmark dashboard under Sender Signatures, confirm the DKIM CNAME record status is verified. If it shows as unverified, the CNAME may be missing or have a typo.
  • The DKIM CNAME record is still in your DNS. DNS provider migrations or zone file resets can remove the record. Verify it is still published at the correct hostname. You can check this at dkimcreator.com.
  • Your From address matches the verified domain. If you verified yourdomain.com but send from anotherdomain.com, DKIM alignment will fail because the signing domain does not match the From domain.
  • You are using a Sender Signature instead of a verified domain. Sender Signatures verify individual addresses but do not enable DKIM for your domain. Switch to full domain verification.

SPF Alignment Failing

SPF alignment failures with Postmark are usually caused by:

  • The Return-Path CNAME is missing or unverified. Confirm the Return-Path CNAME record Postmark provided is published in your DNS and shows as verified in the dashboard. Without it, Postmark cannot use a subdomain of your domain as the envelope sender.
  • Strict alignment mode in your DMARC record. If you set aspf=s, the Return-Path subdomain (pm-bounces.yourdomain.com) will not align with yourdomain.com. Switch to aspf=r (relaxed) unless you have a specific reason for strict mode.
  • DNS provider CNAME flattening issues. Some DNS providers flatten CNAME records in ways that break the Return-Path resolution. If SPF fails intermittently, check whether your DNS provider supports CNAME records at the subdomain Postmark requires.

Multiple Sending Services

If you use Postmark alongside other email services (your corporate email provider, a marketing platform, a helpdesk tool), each service needs its own authentication. Your SPF record must include all of them, and each should have DKIM configured for your domain. Review your DMARC aggregate reports to identify which services are failing and fix their authentication before tightening your DMARC policy.

Do not move to p=reject until every legitimate sending source passes DMARC. Developers integrating Postmark alongside other transactional or marketing services should verify authentication for each one individually. One misconfigured service can cause critical transactional emails to get blocked.

Postmark-Specific Best Practices

Always use full domain verification. Do not rely on individual Sender Signatures for production sending. Only full domain verification enables DKIM signing and a custom Return-Path, both of which are required for DMARC alignment. Developers integrating Postmark via API should also review our DMARC for developers guide for implementation patterns.

Use Postmark's DMARC weekly digest tool. Postmark offers a free DMARC monitoring tool that sends you a weekly summary of your DMARC aggregate reports in a human-readable format. This is an excellent complement to your DMARC record's rua reporting, especially during the monitoring phase when you are reviewing results before enforcement.

Keep your Return-Path CNAME active. Unlike SPF includes that you manage directly, Postmark's SPF alignment depends on the Return-Path CNAME record pointing to their infrastructure. If you migrate DNS providers or clean up records, make sure this CNAME is preserved.

Monitor bounce rates and deliverability. Postmark provides detailed analytics on delivery, bounces, and spam complaints. A sudden spike in bounces or complaints can signal authentication issues that affect your DMARC results. Postmark's strict sending policies mean your account health directly impacts deliverability.

Complete your authentication stack

DMARC works alongside SPF and DKIM. Build a comprehensive SPF record at spfcreator.com that includes all your sending services. Verify your DKIM configuration at dkimcreator.com for any services that need it.

Related Articles

Monitor Your DMARC Record

You've created your DMARC record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.

Never miss a DMARC issue

Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.

Start Monitoring