Manual DNS configuration

This page provides details on advanced domain setup options and is meant for more technical users. DNS is a complicated system that can break your website and/or mail delivery, so we strongly suggest that you do not make any changes to your DNS unless you have an understanding of DNS, or are following explicit instructions.

Looking for basic domain information or setup instructions?

Want more information about DNS?

What is DKIM?

DKIM is an email authentication standard that allows us to sign email you send with a particular domain. It's also used by the receivers of the email to confirm that the email was signed by that domain and hasn’t been changed. All email sent by Fastmail is DKIM signed.

In the original design of DKIM, the domain that signed the email had no particular relationship to the domain in the From address of the email. This was particularly useful for large email providers like us. We have 10,000′s of domains, but would sign all email with just our "generic" domain.

However, this is now changing. Standards like DMARC explicitly link the domain of the email address in the From header to the DKIM signing domain.

It's best for email sent from your custom domain to be signed by that domain. If you host your DNS with Fastmail (our recommended option in the domain set up guide), then we handle this automatically for you. If you only point your MX records to us, you will have to manually set your DKIM records. You can do this on the control panel supplied by your domain registrar.

If you'd like to learn more about this, see our blog post about email anti-spoofing history and future.

DKIM set up with Fastmail

Fastmail uses three CNAME records to support DKIM signing, which lets us sign emails using the DKIM selectors "fm1", "fm2" and "fm3". The records are in the form (with {} replaced by your domain name):

Type Selector Value
CNAME fm1._domainkey fm1.{}
CNAME fm2._domainkey fm2.{}
CNAME fm3._domainkey fm3.{}

This configuration means Fastmail will automatically rotate public/private keys on your behalf to keep up with current best practices.

Fastmail does not DKIM sign emails until we have verified that the domain is correctly set up (with all three CNAME records). If you've recently added the above values to your DNS records, but aren't seeing that DKIM is active on your domain, you can force a check. To do so, click the Recheck DNS button in the Settings → Domains screen. This check prevents DKIM signing failures when the receiving side tries to lookup the public signature and fails to find it. We regularly check each domain to see if the correct public key CNAME records are being published.

DKIM support during migration

If you’re transitioning from another provider to Fastmail, you can use our custom DNS to publish the DKIM record of the previous provider with its selector as well as our own during the transition. You can also do the same if you're transitioning away from Fastmail.

Full list of DNS records

This is the full list of DNS records we can publish for you. You can choose to disable any of these. The information is also available on the Settings → Domains screen, in the Show DNS Settings section.

All entries have a 1 hour TTL.


  • Allows you to host websites at http://{} from your Fastmail file storage.
  • A {}
  • A {}

Standard Mail

  • Allows you to receive email at standard addresses, e.g. user@{}.
  • MX {} 10
  • MX {} 20

Subdomain Websites

  • Allows you to host websites at subdomains, including http://www.{}, from your Fastmail file storage.
  • A *.{}
  • A *.{}

Subdomain Mail

  • Allows you to receive email at subdomain addresses, e.g. foo@user.{}.
  • MX *.{} 10
  • MX *.{} 20

Webmail Login Portal

  • Allows you to log in to your account at http://mail.{}.
  • A mail.{}
  • A mail.{}

Allow mail at subdomains

  • An 'A' record hides the wildcard subdomain MX record. This overrides that to allow receiving email addressed to foo@mail.{}.
  • MX mail.{} 10
  • MX mail.{} 20


  • Allows us to sign the mail you send so receivers can verify it's from you. This is important to ensure your message is not classified as spam. Note you'll need to add all three.
  • CNAME fm1._domainkey.{} fm1.{}
  • CNAME fm2._domainkey.{} fm2.{}
  • CNAME fm3._domainkey.{} fm3.{}
  • Deprecated, for old domains only:
    • CNAME mesmtp._domainkey.{} mesmtp.{}


  • Allows receivers to know you send your mail via Fastmail, and other servers.
  • TXT {} v=spf1 ?all

Client email auto-discovery

  • Allows email clients to automatically find the correct settings for your account.
  • SRV _submission._tcp.{} 0 1 587
  • SRV _imap._tcp.{} 0 0 0 .
  • SRV _imaps._tcp.{} 0 1 993
  • SRV _pop3._tcp.{} 0 0 0 .
  • SRV _pop3s._tcp.{} 10 1 995
  • SRV _jmap._tcp.{} 0 1 443

Client CardDAV auto-discovery

  • Allows CardDAV clients to automatically find the correct settings for your account.
  • SRV _carddav._tcp.{} 0 0 0 .
  • SRV _carddavs._tcp.{} 0 1 443

Client CalDAV auto-discovery

  • Allows CalDAV clients to automatically find the correct settings for your account.
  • SRV _caldav._tcp.{} 0 0 0 .
  • SRV _caldavs._tcp.{} 0 1 443
Was this article helpful?
91 out of 100 found this helpful