MailerMonk
    01Free tools
    02Backlink agent03How it works04Pricing
    Sign inStart free trial
    PrivacyTerms
    Chapter · DKIM for Fastmail
    Revised 17 Jun 2026
    Guide · DKIM · Fastmail

    How to set up DKIM for Fastmail.

    Fastmail is a privacy-oriented business mail provider. Their DKIM CNAMEs are the cleanest of any major ESP — three records, fixed names, point at hosted keys.

    Afsan Rahmatullah
    Afsan RahmatullahMailerMonk

    DKIM (DomainKeys Identified Mail, RFC 6376) is the cryptographic signature attached to outgoing email so receivers can verify the message wasn't tampered with and that it actually came from a server authorized by your domain. To turn it on for Fastmail, you publish one or more DNS records at `<selector>._domainkey.<your-domain>` containing the public key matching the private key Fastmail uses to sign.

    Most ESPs (including Fastmail) ask you to publish CNAME records that point at hosted keys they manage. This is preferable to publishing the raw key text yourself — when the provider rotates keys, your DNS keeps pointing to the rotated key and nothing breaks.

    Publish these DNS records

    Add the following record(s) to your domain's DNS zone. Most registrars (Cloudflare, Route 53, Namecheap, GoDaddy) accept values exactly as shown.

    Record · CNAME
    Type
    CNAME
    Host
    fm1._domainkey
    Value
    fm1.<your-domain>.dkim.fmhosted.com
    Record · CNAME
    Type
    CNAME
    Host
    fm2._domainkey
    Value
    fm2.<your-domain>.dkim.fmhosted.com
    Record · CNAME
    Type
    CNAME
    Host
    fm3._domainkey
    Value
    fm3.<your-domain>.dkim.fmhosted.com
    Why this matters
    • Three selectors (`fm1`, `fm2`, `fm3`) — Fastmail rotates keys across them. Publishing all three means rotation happens transparently.
    • Replace `<your-domain>` with your actual domain in the CNAME target. Fastmail's hosted-key path includes the customer domain so each customer's keys are isolated.

    Where in Fastmail

    The DKIM configuration lives in Fastmail → Settings → Domains → <your-domain> → Authentication.

    Verify the records

    After the records propagate, run the DKIM Checker against your domain with each selector to confirm the public key resolves and parses correctly.

    From a terminal
    dig +short TXT <selector>._domainkey.your-domain.com
    Run the free DKIM checker

    Common pitfalls

    Pitfall
    • Fastmail expects you to publish their MX records as well; without MX pointing at `in1-smtp.messagingengine.com` and `in2-smtp.messagingengine.com`, inbound mail won't reach the mailbox even if SPF/DKIM/DMARC are fine.
    • Fastmail's masked-email feature uses a different sending IP pool. Outbound from masked addresses still aligns with your domain DKIM if you've configured custom domain sending.
    After you publish

    Want to know if it actually keeps working?

    MailerMonk continuously watches your DKIM record, aggregate DMARC reports, and inbox placement — and pings you the moment something drifts. Free for the first domain.

    Start free trial

    About the author

    Afsan Rahmatullah
    Afsan Rahmatullah
    MailerMonk

    Building tools that keep cold email out of spam. Writes about deliverability, DMARC, and what actually moves inbox placement.

    Related · Fastmail

    Other records for Fastmail