Postmark SPF, DKIM & DMARC Setup Guide

Overview

Postmark (now part of ActiveCampaign, originally built by Wildbit) is a developer-focused transactional email service known for its emphasis on deliverability and fast delivery times. Its SPF record uses include:spf.mtasv.net, costing 1 DNS lookup. Postmark is a common choice for SaaS applications that prioritize reliable transactional email over bulk marketing sends.

DKIM in Postmark uses an auto-generated, date-stamped selector (e.g., 20230601123456pm) with a 2048-bit RSA key. The DKIM record is published as a TXT record in your domain's DNS. Because the DKIM record is a direct TXT record rather than a CNAME delegation, key rotation requires you to update the DNS record manually when Postmark generates a new key.

SPF alignment under DMARC depends on configuring Postmark's custom return-path. This is a CNAME record that points pm-bounces.yourdomain.com to Postmark's bounce handling domain. Without this record, the return-path on outbound messages uses mtasv.net, causing SPF alignment to fail in DMARC evaluation. DKIM alignment works as soon as the DKIM TXT record is published and verified.

Additional Setup Notes

Cloudflare Proxy Interference

Cloudflare users must ensure that the return-path CNAME record is set to DNS-only mode (grey cloud icon). Cloudflare's proxy (orange cloud) intercepts CNAME resolution and can break the return-path verification that Postmark relies on for SPF alignment. This applies to any DNS provider that offers HTTP proxying — if the CNAME is being proxied, the return-path won't resolve to Postmark's infrastructure and bounce handling will fail.

The same caution applies to the DKIM record if you ever use a CNAME for DKIM delegation (some advanced configurations). However, since Postmark's standard DKIM setup uses a TXT record, Cloudflare proxying doesn't affect DKIM directly — TXT records aren't proxied.

DKIM Key Rotation (Manual Process)

Postmark's DKIM TXT record approach means you control the record directly, but it also means key rotation is a manual process. When Postmark generates a new DKIM key, you'll need to update the TXT record in your DNS. Watch for email notifications from Postmark about pending key rotations.

The rotation process works like this: Postmark generates a new key and begins signing with it. You have a grace period (typically 7-14 days) to publish the new TXT record. During this window, Postmark signs with both the old and new keys. After you publish the new record and Postmark verifies it, the old key is retired. If you miss the window and don't update the DNS, DKIM verification will start failing for your messages.

This manual rotation is the trade-off for having direct TXT record control. If you prefer automated rotation, some providers use CNAME delegation instead — but with Postmark, you get direct control at the cost of manual updates.

Return-Path CNAME Setup

The return-path CNAME setup is the most commonly missed step in Postmark configuration. Without it, SPF technically passes (the SPF check succeeds against mtasv.net), but DMARC alignment fails because the return-path domain doesn't match your From domain. This distinction trips up many administrators who see "SPF pass" in headers but still get DMARC failures.

The CNAME record typically points pm-bounces.yourdomain.com to a Postmark-provided target domain. The exact target varies by account — check the Sender Signatures section in your Postmark dashboard for the correct value. Don't guess the target or copy it from another account; it's account-specific.

Message Streams and Server Separation

Postmark organizes sending through "Servers" and "Message Streams" (transactional vs. broadcast). Each server in your Postmark account can have its own sender signatures and authentication records. If you use multiple Postmark servers for different applications, each server that sends from your domain should use the same DKIM and return-path records — the authentication is per-domain, not per-server.

However, if different Postmark servers send from different domains, each domain needs its own set of DNS records. The SPF include (spf.mtasv.net) covers all Postmark sending regardless of server or stream.

Troubleshooting

SPF Pass But DMARC Fail

This is the most common Postmark issue and almost always traces back to a missing return-path CNAME. The diagnostic path:

1. Check the Return-Path header on a message sent through Postmark. If it shows an @mtasv.net address, the custom return-path is not configured.
2. In the Postmark dashboard, go to Sender Signatures > DNS Settings. The return-path CNAME target will be listed there.
3. Publish the CNAME record and wait for Postmark to verify it. Once verified, new messages will use your domain in the return-path.

DKIM Verification Failure After Key Rotation

If DKIM starts failing suddenly, check whether Postmark recently rotated the key. Look for a notification email from Postmark about a new DKIM record. If the key was rotated and you didn't update the TXT record, verification will fail for all messages signed with the new key.

To fix: log into the Postmark dashboard, go to Sender Signatures > DNS Settings, copy the current DKIM TXT record value, and update your DNS. Verification should resume once the updated record propagates (usually within an hour, depending on your DNS TTL).

Long DKIM TXT Record Values

Postmark's 2048-bit DKIM keys produce TXT record values that exceed the 255-character single-string limit in DNS. Most modern DNS providers handle this automatically by splitting the value into multiple quoted strings within a single TXT record. If your DKIM verification fails and the key looks correct, check whether your DNS provider is truncating the value. Query the record directly with dig TXT <selector>._domainkey.yourdomain.com and compare the output character-for-character with what Postmark provided.

Postmark with ActiveCampaign Marketing Emails

Since Postmark is now part of ActiveCampaign, organizations that use both services need separate authentication records. Postmark handles transactional email (include:spf.mtasv.net) while ActiveCampaign handles marketing automation (its own SPF include). These are separate infrastructure stacks despite shared ownership — you need both includes in your SPF record if you use both services. If you're using Postmark alongside other providers and the 10-lookup limit is becoming tight, Managed SPF can flatten spf.mtasv.net and your other includes into direct IP references.

Bounce Handling and Suppression Lists

Postmark automatically suppresses addresses that hard-bounce or file spam complaints. If a recipient stops receiving your transactional emails, check Postmark's suppression list before investigating DNS issues. Suppressed addresses return a 406 Not Acceptable error through the API. Reactivation requires manual intervention in the Postmark dashboard — this is a deliverability safeguard, not an authentication issue, but it's frequently misdiagnosed as a DKIM or SPF problem.