SPF for Postmark: Setup Guide and Best Practices
Configure SPF for Postmark with the correct include statement. Covers domain authentication, existing records, and verification.
Last updated: 2026-05-22
Postmark has built a strong reputation for high deliverability transactional email. It is the go-to choice for businesses that need application emails — password resets, order confirmations, account notifications — to reach inboxes reliably. But even with Postmark's excellent infrastructure, your emails still need proper SPF configuration to authenticate correctly.
For a comprehensive overview of SPF, see our complete SPF guide. This guide walks you through setting up SPF for Postmark, completing their full domain authentication process, and verifying everything works.
The Postmark SPF Include
To authorize Postmark to send email for your domain, add this include to your SPF record (Postmark SPF guide):
include:spf.mtasv.net
This include covers all of Postmark's shared sending infrastructure. The domain spf.mtasv.net is maintained by Postmark — when their IP addresses change, they update this record so you do not have to.
Why mtasv.net?
The domain spf.mtasv.net belongs to Postmark (MTASV stands for "mail transfer agent server"). It is not a typo or third-party domain. This is the official SPF include that Postmark has used for years and continues to maintain.
Setting Up SPF for Postmark
Before making changes, check whether your domain already has an SPF record. You can only have one SPF record per domain, so you need to know if you are creating a new one or editing an existing one.
Add your domain in Postmark
Log into your Postmark account and go to Sender Signatures (or Sending Domains, depending on your account type). Click "Add Domain" and enter the domain you want to send from.
Get your DNS records from Postmark
After adding your domain, Postmark displays the DNS records you need to configure. This includes records for SPF, DKIM, and Return-Path. Take note of all of them — you will need all three for complete authentication.
Log into your DNS provider
Go to your domain registrar or DNS hosting provider — see our guides for Cloudflare, GoDaddy, or Namecheap. Navigate to the DNS management section.
Add or update your SPF record
If you do not have an existing SPF record, create a new TXT record with this value:
v=spf1 include:spf.mtasv.net ~all
If you already have an SPF record, add the Postmark include to it. For example, if your current record is v=spf1 include:_spf.google.com ~all, change it to:
v=spf1 include:_spf.google.com include:spf.mtasv.net ~all
Set the Name/Host field to @ (or leave it blank, depending on your provider).
Add the DKIM and Return-Path records
While you are in your DNS settings, add the DKIM and Return-Path (CNAME) records that Postmark provided. These are essential for full authentication and deliverability.
Verify in Postmark
Go back to Postmark and click "Verify" next to each DNS record. Postmark checks your DNS and confirms when each record is properly configured. DNS propagation typically takes 1-4 hours but can take up to 48 hours.
Postmark's Full Domain Authentication
What sets Postmark apart from many email services is their emphasis on complete domain authentication. They do not just ask for SPF — they guide you through setting up all three layers:
SPF — Authorizes Postmark's servers to send email for your domain (the include:spf.mtasv.net you just added).
DKIM — Adds a cryptographic signature to every email, proving it was not tampered with in transit. Postmark provides DKIM records as CNAME entries to add to your DNS.
Return-Path (CNAME) — Aligns the bounce address with your domain. This is important for SPF alignment under DMARC, because SPF checks the Return-Path domain, not the From header. Postmark's Return-Path CNAME ensures SPF passes in alignment with your sending domain.
Complete all three for best results
Postmark's deliverability reputation is one of the best in the industry, but you only get the full benefit when all three authentication methods are configured. Skipping DKIM or the Return-Path record means you are leaving deliverability on the table.
Adding Postmark to an Existing SPF Record
If you already have an SPF record for other services, add Postmark's include without creating a second record. Here are common combinations:
Postmark + Google Workspace:
v=spf1 include:_spf.google.com include:spf.mtasv.net ~all
Postmark + Microsoft 365:
v=spf1 include:spf.protection.outlook.com include:spf.mtasv.net ~all
Postmark + Google Workspace + Mailchimp:
v=spf1 include:_spf.google.com include:spf.mtasv.net include:servers.mcsv.net ~all
Each include adds DNS lookups toward the 10 DNS lookup limit. Postmark's include is lightweight (typically 1-2 lookups), but keep an eye on your total if you are using several services. Use the checker tool above to see your exact lookup count. If you need help building a combined record, SPF Creator can generate the correct syntax. For guidance on managing multiple providers, see SPF for multiple ESPs.
Postmark's Dedicated IPs
Postmark offers dedicated IP addresses on their higher-tier plans. If you have a dedicated IP, you have two SPF options:
Option 1: Keep using the include (recommended)
v=spf1 include:spf.mtasv.net ~all
This covers all Postmark IPs including your dedicated one. It is simpler and handles any future IP changes automatically.
Option 2: Authorize only your dedicated IP
v=spf1 ip4:your.dedicated.ip include:_spf.google.com ~all
This restricts authorization to your specific IP. You would need to update your SPF record if Postmark ever changes your dedicated IP. This approach saves one DNS lookup but adds maintenance overhead.
For most businesses, option 1 is the better choice. The DNS lookup savings from option 2 are rarely worth the risk of an outdated record if your IP changes.
Common Postmark SPF Mistakes
Using the wrong include domain
The correct include is spf.mtasv.net — not postmarkapp.com, postmark.com, or any other variation. If you add the wrong domain, SPF will fail for your Postmark emails.
Forgetting the Return-Path CNAME
This is the most overlooked part of Postmark setup. Without the Return-Path CNAME, SPF may pass but will not align with your From domain under DMARC. If you have a DMARC policy set to quarantine or reject, your Postmark emails could get filtered even though SPF technically passes.
Creating a second SPF record
Your domain can only have one SPF record. If you create a new TXT record instead of editing the existing one, both records become invalid and all your email authentication breaks. Always edit your existing record to add the Postmark include.
Not verifying in Postmark's dashboard
After adding DNS records, go back to Postmark and verify them. Postmark flags any configuration issues, so it is worth checking even if you are confident in your DNS setup.
Verifying Your Postmark SPF Setup
After making DNS changes, confirm everything is working:
1. Check your SPF record. Use the lookup tool above to confirm your record includes spf.mtasv.net and is valid.
2. Verify in Postmark. In your Postmark account under Sender Signatures or Sending Domains, all DNS records should show as verified with green checkmarks.
3. Send a test email. Send a transactional email through Postmark to an address you control. If you use Gmail, open the message, click the three dots, and select "Show original." Look for spf=pass in the authentication results.
4. Check DKIM too. While you are verifying SPF, make sure DKIM is also passing. Postmark signs all emails with DKIM when configured, and both should show as "pass."
For a complete picture of your email authentication, run a full domain check with the Email Deliverability Suite. It verifies SPF, DKIM, DMARC, and MX records in one scan.
References
- RFC 7208: Sender Policy Framework (SPF) — The current SPF specification
- Postmark: SPF Guide — Official Postmark SPF documentation
Never miss an SPF issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring