In your Postmark account, go to Sender Signatures, add your domain, and open DNS Settings; Postmark displays a DKIM public key value to publish as a TXT record at a selector subdomain (for example 20231201._domainkey.yourdomain.com).
Add the TXT record to your DNS exactly as shown; allow up to 48 hours for propagation, after which Postmark marks the record as verified in the dashboard.
For SPF alignment, add a CNAME record with host pm-bounces.yourdomain.com pointing to pm.mtasv.net; this sets a custom Return-Path (envelope sender) under your own domain, enabling SPF to pass and align with your From header domain under DMARC.
Confirm both records are verified in the Postmark Sender Signatures dashboard before sending production mail; unverified domains fall back to Postmark's shared domain, which does not achieve alignment.
Add a DMARC record at _dmarc.yourdomain.com if one does not exist; with both DKIM and SPF alignment in place, you can safely advance the DMARC policy over time.
To test alignment, send a message through Postmark to a test mailbox and inspect the Authentication-Results header; look for dkim=pass and spf=pass with the correct domain.
Known gotchas
If your DNS provider limits TXT record length to 255 characters, you may need to split the Postmark DKIM public key value into multiple quoted strings; contact your DNS provider's support for guidance on string-splitting syntax.
The pm-bounces CNAME must be at a subdomain of your sending domain; you cannot use a completely different domain as the Return-Path and achieve SPF alignment for DMARC purposes.
Postmark does not automatically rotate its DKIM keys; if Postmark announces a key rotation event, you must update the TXT record in your DNS to the new value they provide.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp