Domains: Advanced configuration

This page provides details on advanced domain set up options, and is meant for more technical users. DNS is a complicated system that can break your website and/or mail delivery, so we strongly suggest that you do not make any changes to your DNS unless you have a strong understanding of DNS, or have received explicit instructions.

Looking for basic domain information or setup instructions?

Want more information about DNS?

What is DKIM?

DKIM is an email authentication standard that allows us to sign email you send with a particular domain. It's also used by the receivers of the email to confirm that the email was signed by that domain and hasn’t been changed. All email sent by Fastmail is DKIM signed.

In the original design of DKIM, the domain that signed the email had no particular relationship to the domain in the From address of the email. This was particularly useful for large email providers like us. We have 10,000′s of domains, but would sign all email with just our "generic" messagingengine.com domain.

However, this is now changing. Standards like DMARC explicitly link the domain of the email address in the From header to the DKIM signing domain.

It's best for email sent from your custom domain to be signed by that domain. If you host your DNS with Fastmail (our recommended option in the domain set up guide), then we handle this automatically for you. If you only point your MX records to us, you will have to manually set your DKIM records. You can do this on the control panel supplied by your domain registrar.

If you'd like to learn more about this, see our blog post about email anti-spoofing history and future.

DKIM set up with Fastmail

Fastmail uses three CNAME records to support DKIM signing, which lets us sign emails using the DKIM selectors "fm1", "fm2" and "fm3". The records are in the form (with {mydomain.com} replaced by your domain name):

TypeSelectorValue
CNAMEfm1._domainkeyfm1.{mydomain.com}.dkim.fmhosted.com
CNAMEfm2._domainkeyfm2.{mydomain.com}.dkim.fmhosted.com
CNAMEfm3._domainkeyfm3.{mydomain.com}.dkim.fmhosted.com

This configuration means Fastmail will automatically rotate public/private keys on your behalf to keep up with current best practice.

Fastmail does not DKIM sign emails until we have verified that the domain is correctly set up (with the three CNAME records). If you've recently added the above values to your DNS records, but aren't seeing that DKIM is active on your domain, you can force a check. To do so, click the Recheck DNS button in the Settings → Domains screen. This check prevents DKIM signing failures when the receiving side tries to lookup the public signature and fails to find it. We regularly check each domain to see if the correct public key CNAME records are being published.

DKIM support during migration

If you’re transitioning from another provider to Fastmail, you can use our custom DNS to publish the DKIM record of the previous provider with its selector as well as our own during the transition. You can also do the same if you're transitioning away from Fastmail.

Full list of DNS records

This is the full list of DNS records we can publish for you. You can choose to disable any of these. The information is also available on the Settings → Domains screen, in the Show DNS Settings section.

All entries have a 1 hour TTL.

Websites

  • Allows you to host websites at http://{mydomain.com} from your Fastmail file storage.
  • A {mydomain.com} 66.111.4.53
  • A {mydomain.com} 66.111.4.54

Standard Mail

  • Allows you to receive email at standard addresses, e.g. user@{mydomain.com}.
  • MX {mydomain.com} 10 in1-smtp.messagingengine.com
  • MX {mydomain.com} 20 in2-smtp.messagingengine.com

Subdomain Websites

  • Allows you to host websites at subdomains, including http://www.{mydomain.com}, from your Fastmail file storage.
  • A *.{mydomain.com} 66.111.4.53
  • A *.{mydomain.com} 66.111.4.54

Subdomain Mail

  • Allows you to receive email at subdomain addresses, e.g. foo@user.{mydomain.com}.
  • MX *.{mydomain.com} 10 in1-smtp.messagingengine.com
  • MX *.{mydomain.com} 20 in2-smtp.messagingengine.com

Webmail Login Portal

  • Allows you to log in to your account at http://mail.{mydomain.com}.
  • A mail.{mydomain.com} 66.111.4.147
  • A mail.{mydomain.com} 66.111.4.148

Allow mail at subdomains

  • An 'A' record hides the wildcard subdomain MX record. This overrides that to allow receiving email addressed to foo@mail.{mydomain.com}.
  • MX mail.{mydomain.com} 10 in1-smtp.messagingengine.com
  • MX mail.{mydomain.com} 20 in2-smtp.messagingengine.com

DKIM

  • Allows us to sign the mail you send so receivers can verify it's from you. This is important to ensure your message is not classified as spam.
  • CNAME fm1._domainkey.{mydomain.com} fm1.{mydomain.com}.dkim.fmhosted.com
  • CNAME fm2._domainkey.{mydomain.com} fm2.{mydomain.com}.dkim.fmhosted.com
  • CNAME fm3._domainkey.{mydomain.com} fm3.{mydomain.com}.dkim.fmhosted.com
  • Deprecated, for old domains only:
    • CNAME mesmtp._domainkey.{mydomain.com} mesmtp.{mydomain.com}.dkim.fmhosted.com

SPF

  • Allows receivers to know you send your mail via Fastmail, and other servers.
  • TXT {mydomain.com} v=spf1 include:spf.messagingengine.com ?all

Client email auto-discovery

  • Allows email clients to automatically find the correct settings for your account.
  • SRV _submission._tcp.{mydomain.com} 0 1 587 smtp.fastmail.com
  • SRV _imap._tcp.{mydomain.com} 0 0 0 .
  • SRV _imaps._tcp.{mydomain.com} 0 1 993 imap.fastmail.com
  • SRV _pop3._tcp.{mydomain.com} 0 0 0 .
  • SRV _pop3s._tcp.{mydomain.com} 10 1 995 pop.fastmail.com
  • SRV _jmap._tcp.{mydomain.com} 0 1 443 jmap.fastmail.com

Client CardDAV auto-discovery

  • Allows CardDAV clients to automatically find the correct settings for your account.
  • SRV _carddav._tcp.{mydomain.com} 0 0 0 .
  • SRV _carddavs._tcp.{mydomain.com} 0 1 443 carddav.fastmail.com

Client CalDAV auto-discovery

  • Allows CalDAV clients to automatically find the correct settings for your account.
  • SRV _caldav._tcp.{mydomain.com} 0 0 0 .
  • SRV _caldavs._tcp.{mydomain.com} 0 1 443 caldav.fastmail.com
Was this article helpful?
22 out of 23 found this helpful