Fastmail email authentication with custom domains requires SPF (include:spf.messagingengine.com), DKIM (three CNAME records for selectors fm1, fm2, and fm3), and DMARC. Fastmail handles DKIM key rotation automatically through the CNAME approach. If Fastmail manages your DNS, authentication is configured automatically.
Email Authentication for Fastmail: Complete Setup
SPF Setup
Add this TXT record:
Type: TXT
Host: @
Value: v=spf1 include:spf.messagingengine.com ~all
If you use additional sending services, include them:
v=spf1 include:spf.messagingengine.com include:sendgrid.net ~all
DKIM Setup
Fastmail uses three DKIM selectors with CNAME records for automatic key management:
Type: CNAME
Host: fm1._domainkey
Value: fm1.yourdomain.com.dkim.fmhosted.com
Type: CNAME
Host: fm2._domainkey
Value: fm2.yourdomain.com.dkim.fmhosted.com
Type: CNAME
Host: fm3._domainkey
Value: fm3.yourdomain.com.dkim.fmhosted.com
Replace yourdomain.com with your actual domain (using dots, not dashes).
The CNAME approach means Fastmail rotates DKIM keys without you touching DNS again. Three selectors ensure smooth rotation — when one key changes, the others continue working.
Practitioner note: Fastmail's three-CNAME DKIM setup is the cleanest implementation among email providers. Set it once, never think about it again. Microsoft does something similar with two CNAMEs, but Fastmail's three-selector approach gives even more rotation flexibility.
DMARC Setup
After SPF and DKIM are configured:
Type: TXT
Host: _dmarc
Value: v=DMARC1; p=none; rua=mailto:[email protected]
Advance through the DMARC timeline once reports confirm clean authentication.
Automatic DNS Option
If you point your domain's nameservers to Fastmail (ns1.messagingengine.com and ns2.messagingengine.com), Fastmail automatically configures:
- MX records
- SPF record
- DKIM CNAME records
You still need to add DMARC manually, even with Fastmail DNS.
MTA-STS
Fastmail supports TLS on their mail servers. You can set up MTA-STS to enforce encrypted delivery:
version: STSv1
mode: enforce
mx: *.messagingengine.com
max_age: 604800
Verification
In Fastmail:
- Go to Settings → Domain
- Check the status indicators for SPF, DKIM, and MX
- Send a test email and inspect headers for
spf=passanddkim=pass
Practitioner note: Fastmail users tend to be more technically savvy, so I rarely see misconfigured Fastmail auth. The main issue is people who use external DNS and miss one of the three DKIM CNAME records. All three are required.
Fastmail also supports BIMI without a VMC, so once your DMARC is at enforcement, you can add your brand logo at no additional cost.
If you're setting up Fastmail for a business and want everything verified, schedule a quick consultation.
Sources
- Fastmail: Manual DNS Configuration
- Fastmail: SPF Records
- Fastmail: DKIM Signing
v1.0 · April 2026
Frequently Asked Questions
What SPF record does Fastmail need?
Add v=spf1 include:spf.messagingengine.com ~all as a TXT record. This covers all Fastmail sending IPs.
How do I set up DKIM for Fastmail?
Add three CNAME records: fm1._domainkey pointing to fm1.yourdomain.com.dkim.fmhosted.com, fm2._domainkey pointing to fm2.yourdomain.com.dkim.fmhosted.com, and fm3._domainkey pointing to fm3.yourdomain.com.dkim.fmhosted.com.
Does Fastmail configure authentication automatically?
If you use Fastmail's DNS hosting (by pointing nameservers to Fastmail), they configure SPF, DKIM, and MX records automatically. With external DNS, you add the records manually.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.