My SPF and/or DKIM Record Won't Verify

Postmark makes it very easy to authenticate your email messages with DKIM and SPF. If you have not already, login to Postmark and create a sender signature or domain, then follow the steps to verify your domain.

If you are having trouble verifying your SPF or DKIM records, there are two useful tools you can use to help fix them. Keep in mind that DNS changes might take several hours to propagate.

Checking DKIM Records

Using DKIM Core Key Check tool, insert the text before the"._domainkey" as the selector(it looks something like this: 20130425164621.pm) and then your domain. If DKIM is valid, it should show a result of This is a valid DKIM key record. If the record is not valid, go back to the instructions in Postmark and check the details to make sure your DNS records match.

Common DKIM Record Problems

If you have added your DKIM record, waited 48 hours, and you still aren’t seeing that DKIM is verified, check to make sure you can see the record in your DNS using a dig command. 
As an example, if my DKIM record should be in DNS at 20130425164621.pm._domainkey.postmarkapp.com, I can check to see if it is there using this command:
$ dig 20130425164621.pm._domainkey.postmarkapp.com txt
The dig command should return the DKIM record value seen in the authentication page. If it does not, it means the record is not in the correct location. Double check to ensure that you have added the record with the correct host/name in your DNS. 
Sometimes DNS providers will automatically add your root domain to the location, so it could have been added at xxxxxxxxxxxxxx.pm._domainkey.domain.com.domain.com instead of the intended location. In that case, add the record with the host/name as xxxxxxxxxxxxxx.pm._domainkey. instead of xxxxxxxxxxxxxx.pm._domainkey.domain.com.

Checking SPF Records

Enter your domain here and click Get SPF Record
For postmarkapp.com, it would show a result like this:
Checking to see if there is a valid SPF record. Found v=spf1 record for postmarkapp.com: v=spf1 a mx include:spf.mtasv.net include:_spf.google.com include:cmail1.com ~all
The important thing to notice above is include:spf.mtasv.net is shown in the record, which is what tells ISPs that Postmark can send on behalf of your domain.

Common SPF Record Problems

Multiple SPF Records
If you are having trouble verifying SPF, check to make sure you don’t have multiple SPF records in your DNS. You can do this with a dig command to your root domain, like this:
$ dig domain.com txt
If you see multiple SPF records returned, combine them into a single record using an include statement for each sending source. Once you only have a single SPF record in your DNS, click the VERIFY button for SPF in your Authentication page for the domain in Postmark.
Record added as type SPF instead of TXT
SPF requires that the SPF record be added as a TXT record and not an SPF record. If you had added the record as type SPF, you won’t be able to verify SPF. Change the record to a TXT record and then attempt to verify it again.
Too many lookups
The SPF spec limits the number of DNS lookups to 10 for any SPF record. A DNS lookup is used up by an include statement, a, mx, and ptr. If you are exceeding this limit, you will need to resolve it by either removing include statements for unused sending sources or listing out the sending IPs instead of using include statements.
Last updated June 13th, 2017

Still need some help?

Our customer success team is here to help!