API Documentation


This service is provided for free from Postmark.


What is DMARC?

DMARC is a standard that prevents spammers from using your domain to send email without your permission — also known as spoofing. If you are new to email authentication, we recommend first reading about DKIM and SPF. In combination with SPF and DKIM, a DMARC policy in DNS allows you to set rules to reject or quarantine emails from sources you do not know or trust. As part of the DMARC spec, ISPs (Gmail, Yahoo, Microsoft and more) who implement DMARC will also generate reports on sending activity for your domain. For further reading, check out our guide on DMARC.

Why did we create this tool?

DMARC is extremely powerful as a tool to stop email spoofing. At the same time, it’s highly complicated and risky to implement. If you set a DMARC policy without knowing all of your email sources (mailboxes, email marketing, CRM, transactional email, server alerts, etc) you could potentially reject legitimate emails. This tool collects reports from ISPs and presents them to you in human-readable emails sent once per week. This will make it much easier to understand and implement DMARC on your domain.

Why do Postmark’s emails fail SPF DMARC alignment?

As with most email service providers, Postmark uses a custom domain to collect bounces through the "Return-Path" header in emails. This address resides at the domain With DMARC, the Return-Path and From address must match the same domain for SPF alignment. This means that ESPs will fail the SPF DMARC alignment. Don’t worry though, DMARC only requires either SPF or DKIM to be aligned. Some ESPs get around this by using a Sender header, but we never liked that option due to the “on behalf of” message that can show up in email clients. In addition, we like our customers to build a reputation on their own domains by using custom DKIM in their DNS. To fully support DMARC when sending emails from Postmark, you can add a custom Return-Path domain for your own domain. This will allow the Return-Path to match the From address, resulting in a passing DMARC alignment for your emails. To learn more, please read our support article on adding a custom Return-Path domain.

Why does my DMARC DNS record fail verification?

It’s quite common for DNS providers to take up to 24 hours to propagate. If this is the case, we will attempt to verify your DMARC DNS record every 30 minutes. Once verification is successful you will receive an email confirming your weekly subscription.

What do these tags mean on my DMARC DNS Record?

Tag Description Example
v Protocol version v=DMARC1
p Policy for organizational domain p=none
pct Percentage of messages subjected to filtering pct=100
rua Reporting URI of aggregate reports
sp Policy for subdomains of the organizational domain sp=none
aspf Alignment mode for SPF aspf=r

Are there any limitations imposed by this service?

We provide DMARC reports as a free service. As such, there are certain limitations to the service at the moment to help us keep everything running smoothly:

  • We will only fully process DMARC reports with less than 100,000 records (DMARC report records are XML nodes that contain aggregated information for a specific IP address). Any report exceeding this limit will be truncated to the first 100,000 items.
  • We will store raw reports for up to 9 months. The maximum size of an unarchived DMARC report that we will store is 3MB. For larger reports we will first extract the metadata and make it available to you, and then the reports will be discarded.
  • We will store the reports metadata in a form retrievable via the API for up to 9 weeks.