DKIM for Postmark: Domain Authentication Setup Guide
How to set up DKIM for Postmark. Step-by-step guide covering sender signature verification, DNS records, and DKIM configuration.
Last updated: 2026-04-25
This guide is part of our Transactional and API series.
Postmark is built for transactional email, and it takes deliverability seriously. But even with Postmark's strong sending reputation, your emails still need proper authentication to reach inboxes reliably. DKIM is a key part of that authentication. Without it, receiving servers have no way to verify that emails claiming to come from your domain were actually authorized by you.
Setting up DKIM in Postmark is straightforward. Postmark generates the DKIM key for you and provides a DNS record to add to your domain. Once verified, every email Postmark sends on your behalf gets signed automatically. This guide walks you through the full process.
Postmark requires both DKIM and return-path verification before you can send from a domain. Setting up DKIM isn't optional - it's part of the standard domain configuration process.
Why DKIM Matters for Postmark
Postmark already has a strong sender reputation, but DKIM adds a layer of trust that's tied directly to your domain. When a receiving server sees a DKIM signature on your transactional email, it can verify that the message hasn't been tampered with and that you authorized Postmark to send on your behalf.
Without DKIM, your transactional emails - password resets, order confirmations, account notifications - are more likely to be delayed, filtered, or flagged as suspicious. For business-critical messages, that's a problem you want to avoid.
DKIM also plays an important role in DMARC alignment. If you have a DMARC policy (and you should), DKIM helps your Postmark emails pass alignment checks so they're covered by your domain's authentication policy.
How Postmark Handles DKIM
Postmark manages DKIM through its Sender Signatures feature. When you add a domain as a sender signature, Postmark generates a DKIM key pair behind the scenes. You receive a TXT record containing the public key, which you add to your DNS. Postmark keeps the private key and uses it to sign every outgoing email from that domain.
Postmark uses a date-based selector format: YYYYMMDD.pm._domainkey. For example, you might see a selector like 20260618.pm._domainkey. This format makes it easy to identify when a key was created and distinguishes Postmark's records from those of other email services.
One helpful feature is that Postmark handles key rotation automatically. Periodically, Postmark generates new DKIM keys and prompts you to update the DNS record. This keeps your authentication current without you having to track rotation schedules yourself.
Setting Up DKIM in Postmark
Add your domain in Postmark
Log in to your Postmark account and go to Sender Signatures. Click Add Domain and enter the domain you want to send from (e.g., yourdomain.com). Postmark will generate the authentication records you need.
Copy the DKIM DNS record
After adding your domain, Postmark displays a DKIM TXT record. You'll see a hostname (the selector, like 20260618.pm._domainkey.yourdomain.com) and a value containing the public key. Copy both the hostname and the value exactly as shown.
Add the TXT record to your DNS
Log in to your DNS provider (GoDaddy, Cloudflare, Namecheap, etc.) and create a new TXT record. Paste the hostname and value from Postmark. Some DNS providers auto-append your domain to the hostname, so check that you don't end up with a doubled domain name.
Add the return-path record
Postmark also provides a return-path CNAME record. Add this to your DNS as well. Postmark requires both DKIM and return-path verification before your domain is fully authenticated.
Verify in Postmark
Go back to Postmark and click Verify next to your domain. Postmark checks your DNS for the records. If verification doesn't succeed immediately, wait 15 - 30 minutes for DNS propagation and try again.
Need custom DKIM keys?
Generate your own DKIM key pairs for advanced configurations or services that don't provide built-in key management.
Postmark DKIM DNS Record Format
Here's what the DNS record looks like when you add it to your domain:
| Field | Value |
|---|---|
| Type | TXT |
| Host/Name | `YYYYMMDD.pm._domainkey` (e.g., `20260618.pm._domainkey`) |
| Value | Provided by Postmark (contains the public key) |
| TTL | 3600 (or your provider default) |
Always copy the DNS record values directly from the Postmark dashboard. The selector includes a specific date and the public key value is unique to your domain. Using examples from documentation will not work.
Key Rotation in Postmark
One of the advantages of using Postmark is automatic DKIM key rotation. Postmark periodically generates new DKIM keys to maintain strong security. When a new key is ready, Postmark notifies you and provides an updated DNS record.
When you receive a key rotation notification:
- Log in to Postmark and go to Sender Signatures
- Find the domain with the pending key rotation
- Copy the new DKIM TXT record
- Update the TXT record in your DNS with the new values
- Verify the new record in Postmark
Keep the old DNS record in place until the new one is verified. This ensures there's no gap in authentication during the transition. Once Postmark confirms the new key is active, you can safely remove the old record.
Using Postmark with Other Email Services
Many businesses use Postmark for transactional email alongside another service for marketing email (like Mailchimp or HubSpot). Since each service uses its own DKIM selector, there's no conflict. Postmark's YYYYMMDD.pm selector won't interfere with selectors from other providers.
You can have multiple DKIM records on the same domain - one for each email service. Each service signs emails with its own key, and receiving servers check the correct record based on the selector specified in the email header.
Multiple services on one domain
If you're using Postmark alongside other email services, make sure each service has its own DKIM record in your DNS. They don't conflict with each other. Check our guide on managing DKIM for multiple senders for more details.
Troubleshooting Postmark DKIM
Verification fails in Postmark
- Confirm the TXT record hostname matches exactly what Postmark shows - watch for DNS providers that auto-append your domain name
- Check that the full public key value was copied without truncation (it's a long string)
- Wait at least 30 minutes for DNS propagation before retrying
DKIM passing but return-path not verified
- Postmark requires both records. Make sure the return-path CNAME record is also in your DNS
- The return-path record is a CNAME, not a TXT record - double-check the record type
Emails still landing in spam
- Verify that DMARC is configured for your domain alongside DKIM
- Check that your From address matches the authenticated domain
- Review your sending patterns - even with authentication, sending practices affect deliverability
Key rotation notification received
- Don't ignore it. Update your DNS record with the new values from Postmark
- The old key continues working until you complete the rotation, but delaying increases security risk
- After updating DNS, return to Postmark to verify the new record
Related Articles
References
- RFC 6376 — DomainKeys Identified Mail (DKIM) Signatures
- Postmark official documentation — DKIM setup
Using Postmark for transactional email? Make sure your domain authentication is complete so every message reaches the inbox.
Generate DKIM keys for any email service
Create DKIM key pairs instantly. Free, secure, and generated entirely in your browser.
Generate DKIM Keys