Postmark DMARC Alignment by Default

If you're sending emails, especially transactional emails, you've likely encountered DMARC, SPF, and DKIM. Getting these protocols configured correctly can be a headache, often leading to emails failing DMARC checks, landing in spam, or worse, not being delivered at all.

One of the consistent bright spots in the email ecosystem for DMARC alignment is Postmark. Unlike some other email service providers (ESPs) that require intricate manual configurations or rely on less robust methods, Postmark is designed from the ground up to achieve DMARC alignment by default, provided you follow their setup instructions. This article will explain how Postmark achieves this, why it matters, and what to watch out for.

Understanding DMARC Alignment: A Quick Refresher

Before diving into Postmark's specifics, let's quickly recap what DMARC alignment means. DMARC (Domain-based Message Authentication, Reporting, and Conformance) relies on SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to verify email authenticity. For a DMARC check to pass, at least one of these authentication methods must pass and be "aligned" with the From: header domain.

  • SPF Alignment: The domain in the Return-Path (also known as the envelope sender or mfrom) must either exactly match (strict alignment) or be a subdomain of (relaxed alignment) the From: header domain.
  • DKIM Alignment: The domain specified in the d= tag of the DKIM signature must either exactly match (strict alignment) or be a subdomain of (relaxed alignment) the From: header domain.

If neither SPF nor DKIM aligns, the email fails DMARC. Depending on your DMARC policy (p=quarantine or p=reject), this can lead to messages being marked as spam or outright rejected.

How Postmark Achieves DMARC Alignment Out-of-the-Box

Postmark's approach to DMARC alignment is elegant and effective, primarily leveraging CNAME records to delegate control of your sending domain's authentication to their infrastructure.

SPF Alignment with a Custom Return-Path

Postmark ensures SPF alignment by using a custom Return-Path (envelope sender) domain that is a subdomain of your primary sending domain. When you configure Postmark to send emails for yourdomain.com, they instruct you to set up a CNAME record that allows them to manage the SPF records for a specific subdomain.

Here's how it works:

  1. CNAME for Return-Path: You add a CNAME record to your DNS. For instance, if your sending domain is example.com, you'll likely add a record like this: pm-bounces.example.com CNAME pm.mtasv.net
  2. Dynamic Return-Path: When Postmark sends an email on your behalf, it sets the Return-Path header to something like pm_bounces@pm-bounces.example.com.
  3. SPF Check: The receiving mail server performs an SPF check against pm-bounces.example.com. Because this subdomain CNAMEs to pm.mtasv.net, Postmark's infrastructure handles the SPF validation, which passes.
  4. DMARC Alignment: Since pm-bounces.example.com is a subdomain of example.com (your From: header domain), this satisfies DMARC's relaxed SPF alignment requirements.

This method is robust because it doesn't require you to modify your main domain's SPF record to include Postmark's IPs, avoiding potential issues with the 10-lookup limit.

DKIM Alignment with Your Domain

DKIM is generally more resilient to forwarding and other email routing changes than SPF. Postmark ensures DKIM alignment by signing your emails directly with your domain.

  1. CNAME for DKIM: Similar to SPF, you set up a CNAME record for DKIM. For example.com, this would look like: pm._domainkey.example.com CNAME pm.mtasv.net
  2. Signature with Your Domain: Postmark then signs all outgoing emails using a DKIM key associated with example.com. The d= tag in the DKIM-Signature header will explicitly state your domain: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=pm; ...
  3. DMARC Alignment: The receiving server verifies this signature using the public key published at pm._domainkey.example.com. Since the d=example.com matches your From: header domain, this achieves strict DKIM alignment, which is the strongest form of alignment.

By default, Postmark's setup ensures that both SPF and DKIM will align with your From: domain, making DMARC failures due to authentication issues highly unlikely, provided your DNS is correctly configured.

When Things Go Sideways: Pitfalls and Edge Cases

While Postmark makes DMARC alignment straightforward, it's not entirely foolproof. Here are some common pitfalls and edge cases to be aware of:

  • Missing or Incorrect DNS Records: This is, by far, the most common reason for alignment failures. If you don't set up