How to Set Up DMARC for Fastmail: Email Authentication Guide

Fastmail has strong built-in support for email authentication. When you add a custom domain to Fastmail, it guides you through setting up SPF and DKIM automatically, which means you already have a solid foundation for DMARC. Adding the DMARC record itself is the final step in completing your domain's email authentication stack.

This guide covers what Fastmail handles for you, what you need to do on the DNS side, and how to get your DMARC record working. Since Fastmail users tend to care about email privacy and security, we will also cover how to move toward enforcement efficiently. If you run your own mail infrastructure or use privacy-focused providers like Fastmail, our DMARC for self-hosted email guide covers additional considerations.

What Fastmail Handles for You

Fastmail does a good job of guiding custom domain owners through email authentication during setup. Here is what Fastmail configures:

SPF: When you add a custom domain to Fastmail, the setup wizard provides SPF records to add to your DNS. The standard Fastmail SPF record includes include:spf.messagingengine.com, which authorizes Fastmail's servers to send email on behalf of your domain.

DKIM: Fastmail automatically generates DKIM keys for custom domains and provides the DNS records you need to publish. Fastmail uses multiple DKIM selectors (typically three CNAME records) to ensure redundancy and key rotation. Once these records are published, Fastmail signs all outgoing email with DKIM.

What Fastmail does not do: Fastmail does not create a DMARC record for you. That is what you are here to add. DMARC ties SPF and DKIM together with a policy that tells receiving servers what to do when authentication fails. For background on how these protocols interact, read SPF vs DKIM vs DMARC.

If you set up your Fastmail custom domain recently, SPF and DKIM may already be configured. Check your Fastmail admin under Settings > Domains to see the authentication status for your domain. Green checkmarks mean you are ready to add DMARC.

Verifying SPF and DKIM Before Adding DMARC

Before publishing your DMARC record, confirm that SPF and DKIM are working. In your Fastmail account, go to Settings > Domains and click on your custom domain. Fastmail shows the status of each authentication record.

SPF check: Your DNS should have a TXT record for your domain that includes include:spf.messagingengine.com. If you also send email from other services, those need to be included in the same SPF record. Build a comprehensive SPF record at spfcreator.com.

DKIM check: You should have three CNAME records pointing to Fastmail's DKIM infrastructure. Fastmail typically uses selectors like fm1, fm2, and fm3. These CNAME records point to fm1.yourdomain.com.dkim.fmhosted.com and similar addresses. All three should show as verified in Fastmail.

If any of these show errors or pending status, fix them before adding DMARC. A DMARC record is only useful when the underlying authentication mechanisms are in place.

The Recommended DMARC Record

Since Fastmail handles SPF and DKIM well, many Fastmail users can move to enforcement relatively quickly. However, if this is your first time setting up DMARC, start with monitoring:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100;

Replace the email address with one you monitor. This collects reports without affecting email delivery.

If you are confident that Fastmail is your only email sending source and SPF and DKIM are both verified, you can start with a stricter policy:

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=100;

This is more aggressive but appropriate if you have confirmed everything is in order. If you also send from other services (newsletters, transactional email, CRM), start with p=none until you verify all sources pass.

Adding the DMARC Record to Your DNS

Your DMARC record gets added wherever your domain's DNS is hosted. This could be your domain registrar, a DNS hosting service, or Fastmail itself if you use Fastmail's DNS hosting feature.

Log in to your DNS provider

Go to wherever your domain's DNS is managed. If you use Fastmail's built-in DNS hosting (available for domains registered elsewhere but pointed to Fastmail's nameservers), log in to Fastmail and go to Settings > Domains. Otherwise, log in to your registrar (Namecheap, Cloudflare, GoDaddy, etc.).

Add a new TXT record

Create a new TXT record. Set the Name or Host field to _dmarc. Your DNS provider usually appends your domain automatically, so the full record resolves at _dmarc.yourdomain.com. Only enter _dmarc.

Paste your DMARC record as the value

In the Value or Content field, paste your complete DMARC record string. Set the TTL to 3600 (one hour) or leave the default.

Save and verify

Save the record. Wait a few minutes for propagation, then verify at dmarcrecordchecker.com.

If You Use Fastmail's DNS Hosting

Fastmail offers DNS hosting for custom domains. If your domain's nameservers point to Fastmail, you can manage DNS records in the Fastmail admin. Go to Settings > Domains, click your domain, and look for the DNS records section. Add a TXT record with the name _dmarc and your DMARC record as the value.

Fastmail-Specific Considerations

Aliases and Multiple Domains

Fastmail supports email aliases across multiple domains on a single account. If you send email from multiple custom domains, each domain needs its own DMARC record. SPF and DKIM also need to be configured for each domain separately. Check the authentication status for every domain in your Fastmail settings.

Fastmail and Mailing Lists

If you participate in mailing lists, be aware that mailing list software often modifies email headers in ways that break DKIM alignment. This is a known issue across all email providers, not specific to Fastmail. When you move to p=reject, some mailing list messages may be affected. Many modern mailing lists use ARC (Authenticated Received Chain) to handle this, but older ones may not.

If mailing list participation is important to you, monitor your DMARC reports carefully during the enforcement transition. See our DMARC and email forwarding guide for more details on this topic.

Fastmail's Masked Email Feature

Fastmail's masked email (random alias) feature generates addresses at fastmail.com or your custom domain. Masked emails using your custom domain go through the same authentication pipeline and will be covered by your DMARC record. Masked emails at fastmail.com are a separate domain and are not affected by your DMARC policy.

Check your Fastmail domain authentication

Verify your SPF, DKIM, and DMARC records are all correctly configured.

Run a Free Check

Moving to Enforcement

Fastmail's clean authentication setup means you can often move to enforcement faster than with other providers. After one to two weeks at p=none, review your DMARC reports. If Fastmail is your only sending source and all emails show DKIM and SPF passing, you can proceed.

Step 1: Move to p=quarantine; pct=50;. Half of failing messages get quarantined. Monitor for a week.

Step 2: Increase to p=quarantine; pct=100;. All failing messages are quarantined.

Step 3: Move to p=reject. This is the strongest protection and the recommended end state. It tells receiving servers to reject any email that fails authentication for your domain.

If you send from additional services (a newsletter platform, a CRM, a transactional email provider), make sure those pass authentication before enforcing. One unauthenticated source will cause legitimate email to be blocked.

For the full enforcement guide, see our DMARC policy levels guide.

Complete your authentication stack

Fastmail handles SPF and DKIM well, but if you add other sending services later, update your records. Use spfcreator.com for SPF and dkimcreator.com for DKIM whenever you add a new email sending service.

Monitor Your DMARC Record

You've created your DMARC record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.

Never miss a DMARC issue

Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.

Start Monitoring