Domains: Advanced configuration

This page provides details on advanced domain set up options, and is meant for more technical users. DNS is a complicated system that can break your website and/or mail delivery, so we strongly suggest that you do not make any changes to your DNS unless you have a strong understanding of DNS, or have received explicit instructions.

Looking for basic domain information or setup instructions?

Want more information about DNS?

What is DKIM?

DKIM is an email authentication standard that allows us to sign email you send with a particular domain. It's also used by the receivers of the email to confirm that the email was signed by that domain and hasn’t been changed. All email sent by Fastmail is DKIM signed.

In the original design of DKIM, the domain that signed the email had no particular relationship to the domain in the From address of the email. This was particularly useful for large email providers like us. We have 10,000′s of domains, but would sign all email with just our "generic" messagingengine.com domain.

However, this is now changing. Standards like DMARC explicitly link the domain of the email address in the From header to the DKIM signing domain.

It's best for email sent from your custom domain to be signed by that domain. If you host your DNS with Fastmail (our recommended option in the domain set up guide), then we handle this automatically for you. If you only point your MX records to us, you will have to manually set your DKIM records. You can do this on the control panel supplied by your domain registrar.

If you'd like to learn more about this, see our blog post about email anti-spoofing history and future.

DKIM set up with Fastmail

Fastmail uses three CNAME records to support DKIM signing, which lets us sign emails using the DKIM selectors "fm1", "fm2" and "fm3". The records are in the form (with {mydomain.com} replaced by your domain name):

TypeSelectorValue
CNAME fm1._domainkey fm1.{mydomain.com}.dkim.fmhosted.com
CNAME fm2._domainkey fm2.{mydomain.com}.dkim.fmhosted.com
CNAME fm3._domainkey fm3.{mydomain.com}.dkim.fmhosted.com

This configuration means Fastmail will automatically rotate public/private keys on your behalf to keep up with current best practice.

Fastmail does not DKIM sign emails until we have verified that the domain is correctly set up (with the three CNAME records). If you've recently added the above values to your DNS records, but aren't seeing that DKIM is active on your domain, you can force a check. To do so, click the Recheck DNS button in the Settings → Domains screen. This check prevents DKIM signing failures when the receiving side tries to lookup the public signature and fails to find it. We regularly check each domain to see if the correct public key CNAME records are being published.

DKIM support during migration

If you’re transitioning from another provider to Fastmail, you can use our custom DNS to publish the DKIM record of the previous provider with its selector as well as our own during the transition. You can also do the same if you're transitioning away from Fastmail.

Full list of DNS records

This is the full list of DNS records we can publish for you. You can choose to disable any of these. The information is also available on the Settings → Domains screen, in the Show DNS Settings section.

All entries have a 1 hour TTL.

Websites

Standard Mail

Subdomain Websites

Subdomain Mail

Webmail Login Portal

Allow mail at subdomains

DKIM

SPF

Client email auto-discovery

Client CardDAV auto-discovery

Client CalDAV auto-discovery