Tell HN: Make sure to configure DKIM/SPF with Fastmail

48 pointswhichdan4y ago24 comments

I've been using Fastmail since 2007, so I haven't touched the DNS of several of my domains in years. All of my email has been getting flagged as spam by GMail recently, and it's likely because I never added DKIM/SPF records to my older domains. I know there are a bunch of old Fastmail users here so figured I'd do a quick PSA

48 pointswhichdan4y ago24 comments

24 comments

22 comments · 12 top-level

climb_stealth4y ago· 3 in thread

When you manage your domains through Fastmail it does it automatically. I certainly haven't had to configure it myself.

There is a neat website to check your email settings that was on the HN front page earlier this year:

https://www.learndmarc.com/

janto4y ago

Amusing :) Although I have to admit that I am even less sure after using that site. There doesn't seem to be an indication that DKIM "FAIL" in red is a good or bad thing after it attempted to spoof a domain I own. I assume it's good?

freddieleeman4y ago

A spoofed message should FAIL DMARC. It could PASS DKIM and if the signature came from a domain that is owned by the attacker. But DMARC will fail when the DKIM domain and the HEADER.FROM domain do not align.

Please read my blog here: https://www.uriports.com/blog/introduction-to-spf-dkim-and-d...

It will explain how SPF, DKIM, and DMARC work together to prevent spam.

climb_stealth4y ago

Not sure, I can't say I'm super familiar with this. Which I guess is part of the reason I'm having it configured through Fastmail.

This is the original submission where the link came from if it helps:

https://news.ycombinator.com/item?id=29869266

2000UltraDeluxe4y ago· 3 in thread

Also add DMARC to the list aswell, and make sure to warm up the domain again once you're done.

ivansavz4y ago

What does "warm up" mean in this case? Send a few emails?

Also, what policy do you recommend fro DMARC: none, quarantine, or reject?

boris-ning-usds4y ago

This is what mailgun recommends for warming up email / email reputation. https://www.mailgun.com/blog/domain-warmup-reputation-stretc...

If you're just starting out, start with none. Quarantine or reject needs to be carefully monitored over time.

johngalt4y ago

DMARC: Set is as p=none and read your reports from the RUA tags.

Once you are confident that all the legitimate mail is aligned, then go straight to p=reject. Many will recommend quarantine, but it's better to have an email bounce back immediately vs silently get lost in a spam folder. Outside of troubleshooting there isn't much use for P=Quarantine in DMARC or '~all' in SPF.

1 more reply

notacoward4y ago· 2 in thread

I noticed this recent change too. Deliberate degradation of service via competitors (Fastmail is objectively not a spam relay and I'm sure the folks at GMail know that) is just more fodder for the coming anti-trust case.

TheSmiddy4y ago

DKIM has been around for close to 2 decades now and fastmail has been rolling out out by default since 2009 [1]. This change only affects fastmail users who manage their own DNS rather than letting fastmail manage it and either set it up a very long time ago or chose not to implement all the recommended settings.

Gmails changes are not deliberately affecting fastmail at all.

[1] https://fastmail.blog/historical/all-outbound-email-now-bein...

iamdamian4y ago

I signed up for Fastmail only 9 years ago, and my email started being sent to spam just this week.

1 more reply

walrus014y ago· 1 in thread

In general, never have an MX configured in your authoritative DNS zonefile without proper SPF and DKIM. Deliverability to outbound SMTP destinations will be very poor.

Not fastmail specific.

technion4y ago

A side issue here is that if you don't have an MX record configured (say, you figured a domain isn't used for mail), it doesn't mean "we don't accept mail". You'll be surprised at how much spam ends up being directed at your apex A record, because according to the RFC that's where it goes in the absence of an MX record. Use

MX 0 .

For such domains.

basisword4y ago· 1 in thread

I know nothing about DKIM/SPF. Is there a reason this only applies to older Fastmail users?

whichdanOP4y ago

Originally, Fastmail only had you add MX records. The DKIM/SPF change was more recent (as in, sometime in the past 16 years :) due to changing standards around email deliverability.

johngalt4y ago

Not unique to Fastmail. Any domain that sends email should have DKIM/SPF/DMARC. SPF is quickly becoming irrelevant, but it is an easy configuration item.

Recommend mxtoolbox for validating configurations https://mxtoolbox.com/

Specifically send a test email to ping@tools.mxtoolbox.com and it will advise you of your current settings.

Dmarcian has good resources on DMARC specifically, and can act as an RUA report reader as a paid service. https://dmarcian.com/alignment/

RKearney4y ago

This is true of any mail service and is not at all unique to Fastmail.

iamdamian4y ago

Agreed, and thank you for the PSA.

This hit me a week ago. After a friend let me know, configuring DKIM/SPF did the trick in minutes.

MerelyMortal4y ago

I added DKIM/SPF over a year ago, and they still sometimes get flagged. It doesn't help that one sad/spiteful person marked it as spam in his Yahoo account (at least I was notified that someone did, and because I'm not actually a spammer, I quickly figured out who it was).

benibela4y ago

I have a custom domain on shared hosting, and apparently the hoster does not support DKIM.

Is that really bad?

I sent a mail from it to a gmail account, and it was not flagged as spam

Also, when I send a mail from my university address, it says, the DKIM user identifier does not match the from header

mmetcalfe4y ago

This happened to me, starting a few days ago. It appears to be fixed after adding the DKIM/SPF records.

Amfy4y ago

thanks

j / k navigate · click thread line to collapse

24 comments

22 comments · 12 top-level

climb_stealth4y ago· 3 in thread

When you manage your domains through Fastmail it does it automatically. I certainly haven't had to configure it myself.

There is a neat website to check your email settings that was on the HN front page earlier this year:

https://www.learndmarc.com/

janto4y ago

freddieleeman4y ago

Please read my blog here: https://www.uriports.com/blog/introduction-to-spf-dkim-and-d...

It will explain how SPF, DKIM, and DMARC work together to prevent spam.

climb_stealth4y ago

Not sure, I can't say I'm super familiar with this. Which I guess is part of the reason I'm having it configured through Fastmail.

This is the original submission where the link came from if it helps:

https://news.ycombinator.com/item?id=29869266

2000UltraDeluxe4y ago· 3 in thread

Also add DMARC to the list aswell, and make sure to warm up the domain again once you're done.

ivansavz4y ago

What does "warm up" mean in this case? Send a few emails?

Also, what policy do you recommend fro DMARC: none, quarantine, or reject?

boris-ning-usds4y ago

This is what mailgun recommends for warming up email / email reputation. https://www.mailgun.com/blog/domain-warmup-reputation-stretc...

If you're just starting out, start with none. Quarantine or reject needs to be carefully monitored over time.

johngalt4y ago

DMARC: Set is as p=none and read your reports from the RUA tags.

1 more reply

notacoward4y ago· 2 in thread

TheSmiddy4y ago

Gmails changes are not deliberately affecting fastmail at all.

[1] https://fastmail.blog/historical/all-outbound-email-now-bein...

iamdamian4y ago

I signed up for Fastmail only 9 years ago, and my email started being sent to spam just this week.

1 more reply

walrus014y ago· 1 in thread

In general, never have an MX configured in your authoritative DNS zonefile without proper SPF and DKIM. Deliverability to outbound SMTP destinations will be very poor.

Not fastmail specific.

technion4y ago

MX 0 .

For such domains.

basisword4y ago· 1 in thread

I know nothing about DKIM/SPF. Is there a reason this only applies to older Fastmail users?

whichdanOP4y ago

Originally, Fastmail only had you add MX records. The DKIM/SPF change was more recent (as in, sometime in the past 16 years :) due to changing standards around email deliverability.

johngalt4y ago

Not unique to Fastmail. Any domain that sends email should have DKIM/SPF/DMARC. SPF is quickly becoming irrelevant, but it is an easy configuration item.

Recommend mxtoolbox for validating configurations https://mxtoolbox.com/

Specifically send a test email to ping@tools.mxtoolbox.com and it will advise you of your current settings.

Dmarcian has good resources on DMARC specifically, and can act as an RUA report reader as a paid service. https://dmarcian.com/alignment/

RKearney4y ago

This is true of any mail service and is not at all unique to Fastmail.

iamdamian4y ago

Agreed, and thank you for the PSA.

This hit me a week ago. After a friend let me know, configuring DKIM/SPF did the trick in minutes.

MerelyMortal4y ago

benibela4y ago

I have a custom domain on shared hosting, and apparently the hoster does not support DKIM.

Is that really bad?

I sent a mail from it to a gmail account, and it was not flagged as spam

Also, when I send a mail from my university address, it says, the DKIM user identifier does not match the from header

mmetcalfe4y ago

This happened to me, starting a few days ago. It appears to be fixed after adding the DKIM/SPF records.

Amfy4y ago

thanks

j / k navigate · click thread line to collapse