SPF (Sender Policy Framework, RFC 7208) authorizes specific servers to send mail for your domain. When you start sending through Postmark, you must publish a single SPF record at your domain apex that includes Postmark's sending infrastructure — otherwise the messages will fail SPF, your DMARC checks will fail, and your mail will land in spam or be rejected outright.
If you already publish SPF for another sender (Google Workspace for inbound, a marketing tool, your CRM), do not publish a second record. Merge the new include into the existing record. RFC 7208 §3 forbids multiple SPF records on the same name and receivers MUST return permerror when they see one.
Publish these DNS records
Add the following record(s) to your domain's DNS zone. Most registrars (Cloudflare, Route 53, Namecheap, GoDaddy) accept values exactly as shown.
- Type
TXT- Host
@- Value
v=spf1 a mx include:spf.mtasv.net ~all
- Postmark's docs include `a mx` mechanisms by default — these add 2 to your SPF lookup count. Drop them if you don't actually need apex A or MX records to pass SPF.
Where in Postmark
The SPF configuration lives in Postmark → Sender Signatures → Add Domain → DNS.
Verify the records
Once published, run the SPF Checker on your domain to verify the lookup chain expands cleanly and stays under the 10-DNS-lookup limit.
dig +short TXT your-domain.comCommon pitfalls
- Postmark's anti-spam team will pause your account if you send marketing mail through it. Use a separate ESP for newsletters or promotional content.
- The Return-Path on Postmark mail is `pm.mtasv.net` by default. Set up a custom Return-Path domain for SPF alignment if you need DMARC to pass on SPF as well as DKIM.