- What is DKIM?
- DKIM configuration with Fastmail
- DKIM support during migration
- Full list of DNS records
This page provides details on advanced domain setup options and is meant for more technical users. DNS is a complicated system that can break your website and/or mail delivery, so we strongly suggest that you do not make any changes to your DNS unless you have an understanding of DNS, or are following explicit instructions.
Looking for basic domain information or setup instructions?
Want more information about DNS?
What is DKIM?
DKIM is an email authentication standard that allows us to sign email you send with a particular domain. It's also used by the receivers of the email to confirm that the email was signed by that domain and hasn’t been changed. All email sent by Fastmail is DKIM signed.
In the original design of DKIM, the domain that signed the email had no particular relationship to the domain in the From
address of the email. This was particularly useful for large email providers like us. We have 10,000′s of domains, but would sign all email with just our "generic" messagingengine.com domain.
However, this is now changing. Standards like DMARC explicitly link the domain of the email address in the From
header to the DKIM signing domain.
It's best for email sent from your custom domain to be signed by that domain. If you host your DNS with Fastmail (our recommended option in the domain set up guide), then we handle this automatically for you. If you only point your MX records to us, you will have to manually set your DKIM records. You can do this on the control panel supplied by your domain registrar.
If you'd like to learn more about this, see our blog post about email anti-spoofing history and future.
DKIM set up with Fastmail
Fastmail uses three CNAME records to support DKIM signing, which lets us sign emails using the DKIM selectors "fm1", "fm2" and "fm3". The records are in the form (with {mydomain.com}
replaced by your domain name):
Type | Selector | Value |
---|---|---|
CNAME | fm1._domainkey |
fm1.{mydomain.com}.dkim.fmhosted.com |
CNAME | fm2._domainkey |
fm2.{mydomain.com}.dkim.fmhosted.com |
CNAME | fm3._domainkey |
fm3.{mydomain.com}.dkim.fmhosted.com |
This configuration means Fastmail will automatically rotate public/private keys on your behalf to keep up with current best practices.
Fastmail does not DKIM sign emails until we have verified that the domain is correctly set up (with all three CNAME records). If you've recently added the above values to your DNS records, but aren't seeing that DKIM is active on your domain, you can force a check. To do so, click the Recheck DNS button in the Settings → Domains screen. This check prevents DKIM signing failures when the receiving side tries to lookup the public signature and fails to find it. We regularly check each domain to see if the correct public key CNAME records are being published.
DKIM support during migration
If you’re transitioning from another provider to Fastmail, you can use our custom DNS to publish the DKIM record of the previous provider with its selector as well as our own during the transition. You can also do the same if you're transitioning away from Fastmail.
Full list of DNS records
This is the full list of DNS records we can publish for you. You can choose to disable any of these. The information is also available on the Settings → Domains screen, in the Show DNS Settings section.
All entries have a 1 hour TTL.
Websites
- Allows you to host websites at
http://{mydomain.com}
from your Fastmail file storage. - A
{mydomain.com}
66.111.4.53
- A
{mydomain.com}
66.111.4.54
Standard Mail
- Allows you to receive email at standard addresses, e.g.
user@{mydomain.com}
. - MX
{mydomain.com}
10 in1-smtp.messagingengine.com
- MX
{mydomain.com}
20 in2-smtp.messagingengine.com
Subdomain Websites
- Allows you to host websites at subdomains, including
http://www.{mydomain.com}
, from your Fastmail file storage. - A
*.{mydomain.com}
66.111.4.53
- A
*.{mydomain.com}
66.111.4.54
Subdomain Mail
- Allows you to receive email at subdomain addresses, e.g.
foo@user.{mydomain.com}
. - MX
*.{mydomain.com}
10 in1-smtp.messagingengine.com
- MX
*.{mydomain.com}
20 in2-smtp.messagingengine.com
Webmail Login Portal
- Allows you to log in to your account at
http://mail.{mydomain.com}
. - A
mail.{mydomain.com}
66.111.4.147
- A
mail.{mydomain.com}
66.111.4.148
Allow mail at subdomains
- An 'A' record hides the wildcard subdomain MX record. This overrides that to allow receiving email addressed to
foo@mail.{mydomain.com}
. - MX
mail.{mydomain.com}
10 in1-smtp.messagingengine.com
- MX
mail.{mydomain.com}
20 in2-smtp.messagingengine.com
DKIM
- Allows us to sign the mail you send so receivers can verify it's from you. This is important to ensure your message is not classified as spam. Note you'll need to add all three.
- CNAME
fm1._domainkey.{mydomain.com}
fm1.{mydomain.com}.dkim.fmhosted.com
- CNAME
fm2._domainkey.{mydomain.com}
fm2.{mydomain.com}.dkim.fmhosted.com
- CNAME
fm3._domainkey.{mydomain.com}
fm3.{mydomain.com}.dkim.fmhosted.com
- Deprecated, for old domains only:
- CNAME
mesmtp._domainkey.{mydomain.com}
mesmtp.{mydomain.com}.dkim.fmhosted.com
- CNAME
SPF
- Allows receivers to know you send your mail via Fastmail, and other servers.
- TXT
{mydomain.com}
v=spf1 include:spf.messagingengine.com ?all
Client email auto-discovery
- Allows email clients to automatically find the correct settings for your account.
- SRV
_submission._tcp.{mydomain.com}
0 1 587 smtp.fastmail.com
- SRV
_imap._tcp.{mydomain.com}
0 0 0 .
- SRV
_imaps._tcp.{mydomain.com}
0 1 993 imap.fastmail.com
- SRV
_pop3._tcp.{mydomain.com}
0 0 0 .
- SRV
_pop3s._tcp.{mydomain.com}
10 1 995 pop.fastmail.com
- SRV
_jmap._tcp.{mydomain.com}
0 1 443 jmap.fastmail.com
Client CardDAV auto-discovery
- Allows CardDAV clients to automatically find the correct settings for your account.
- SRV
_carddav._tcp.{mydomain.com}
0 0 0 .
- SRV
_carddavs._tcp.{mydomain.com}
0 1 443 carddav.fastmail.com
Client CalDAV auto-discovery
- Allows CalDAV clients to automatically find the correct settings for your account.
- SRV
_caldav._tcp.{mydomain.com}
0 0 0 .
- SRV
_caldavs._tcp.{mydomain.com}
0 1 443 caldav.fastmail.com