How to set up DKIM for Fastmail

DKIM (DomainKeys Identified Mail, RFC 6376) is the cryptographic signature attached to outgoing email so receivers can verify the message wasn't tampered with and that it actually came from a server authorized by your domain. To turn it on for Fastmail, you publish one or more DNS records at `<selector>._domainkey.<your-domain>` containing the public key matching the private key Fastmail uses to sign.

Most ESPs (including Fastmail) ask you to publish CNAME records that point at hosted keys they manage. This is preferable to publishing the raw key text yourself — when the provider rotates keys, your DNS keeps pointing to the rotated key and nothing breaks.

Publish these DNS records

Add the following record(s) to your domain's DNS zone. Most registrars (Cloudflare, Route 53, Namecheap, GoDaddy) accept values exactly as shown.

• Three selectors (`fm1`, `fm2`, `fm3`) — Fastmail rotates keys across them. Publishing all three means rotation happens transparently.
• Replace `<your-domain>` with your actual domain in the CNAME target. Fastmail's hosted-key path includes the customer domain so each customer's keys are isolated.

Where in Fastmail

The DKIM configuration lives in Fastmail → Settings → Domains → <your-domain> → Authentication.

Verify the records

After the records propagate, run the DKIM Checker against your domain with each selector to confirm the public key resolves and parses correctly.

Common pitfalls

• Fastmail expects you to publish their MX records as well; without MX pointing at `in1-smtp.messagingengine.com` and `in2-smtp.messagingengine.com`, inbound mail won't reach the mailbox even if SPF/DKIM/DMARC are fine.
• Fastmail's masked-email feature uses a different sending IP pool. Outbound from masked addresses still aligns with your domain DKIM if you've configured custom domain sending.