DKIM (DomainKeys Identified Mail, RFC 6376) is the cryptographic signature attached to outgoing email so receivers can verify the message wasn't tampered with and that it actually came from a server authorized by your domain. To turn it on for Postmark, you publish one or more DNS records at `<selector>._domainkey.<your-domain>` containing the public key matching the private key Postmark uses to sign.
Most ESPs (including Postmark) ask you to publish CNAME records that point at hosted keys they manage. This is preferable to publishing the raw key text yourself — when the provider rotates keys, your DNS keeps pointing to the rotated key and nothing breaks.
Publish these DNS records
Add the following record(s) to your domain's DNS zone. Most registrars (Cloudflare, Route 53, Namecheap, GoDaddy) accept values exactly as shown.
- Type
TXT- Host
<token>._domainkey- Value
k=rsa; p=<KEY_FROM_POSTMARK>
- Postmark issues a per-domain selector token (e.g. `20231201abcd`). The DKIM record is published as TXT containing the raw RSA public key.
- Postmark also offers DKIM rotation; when you rotate, the new key is issued under a new selector and the old selector stays valid for ~30 days for in-flight signatures.
Where in Postmark
The DKIM configuration lives in Postmark → Sender Signatures → Add Domain → DNS.
Verify the records
After the records propagate, run the DKIM Checker against your domain with each selector to confirm the public key resolves and parses correctly.
dig +short TXT <selector>._domainkey.your-domain.comCommon pitfalls
- Postmark's anti-spam team will pause your account if you send marketing mail through it. Use a separate ESP for newsletters or promotional content.
- The Return-Path on Postmark mail is `pm.mtasv.net` by default. Set up a custom Return-Path domain for SPF alignment if you need DMARC to pass on SPF as well as DKIM.