I've been using Fastmail since 2007, so I haven't touched the DNS of several of my domains in years. All of my email has been getting flagged as spam by GMail recently, and it's likely because I never added DKIM/SPF records to my older domains. I know there are a bunch of old Fastmail users here so figured I'd do a quick PSA
Not unique to Fastmail. Any domain that sends email should have DKIM/SPF/DMARC. SPF is quickly becoming irrelevant, but it is an easy configuration item.
Amusing :) Although I have to admit that I am even less sure after using that site. There doesn't seem to be an indication that DKIM "FAIL" in red is a good or bad thing after it attempted to spoof a domain I own. I assume it's good?
A spoofed message should FAIL DMARC. It could PASS DKIM and if the signature came from a domain that is owned by the attacker. But DMARC will fail when the DKIM domain and the HEADER.FROM domain do not align.
In general, never have an MX configured in your authoritative DNS zonefile without proper SPF and DKIM. Deliverability to outbound SMTP destinations will be very poor.
A side issue here is that if you don't have an MX record configured (say, you figured a domain isn't used for mail), it doesn't mean "we don't accept mail". You'll be surprised at how much spam ends up being directed at your apex A record, because according to the RFC that's where it goes in the absence of an MX record. Use
DMARC: Set is as p=none and read your reports from the RUA tags.
Once you are confident that all the legitimate mail is aligned, then go straight to p=reject. Many will recommend quarantine, but it's better to have an email bounce back immediately vs silently get lost in a spam folder. Outside of troubleshooting there isn't much use for P=Quarantine in DMARC or '~all' in SPF.
~all in SPF is a different beast, since -all breaks forwards. There's still an unreasonably large amount of people heavily reliant on forwards, so I'd not go as far as to recommend ~all to people who are not 100% certain of the consequences.
I added DKIM/SPF over a year ago, and they still sometimes get flagged. It doesn't help that one sad/spiteful person marked it as spam in his Yahoo account (at least I was notified that someone did, and because I'm not actually a spammer, I quickly figured out who it was).
Originally, Fastmail only had you add MX records. The DKIM/SPF change was more recent (as in, sometime in the past 16 years :) due to changing standards around email deliverability.
I noticed this recent change too. Deliberate degradation of service via competitors (Fastmail is objectively not a spam relay and I'm sure the folks at GMail know that) is just more fodder for the coming anti-trust case.
DKIM has been around for close to 2 decades now and fastmail has been rolling out out by default since 2009 [1]. This change only affects fastmail users who manage their own DNS rather than letting fastmail manage it and either set it up a very long time ago or chose not to implement all the recommended settings.
Gmails changes are not deliberately affecting fastmail at all.
Exactly. I've been using Fastmail for eleven years, and the records I had set up had been deemed sufficient for that long. They still are, for everyone else. Google just decided all on their own, without even any announcement (which I'm pretty sure I would have seen here and elsewhere), to start being extra-picky about something they had previously been fine with. It comes across as an excuse, not a sincere attempt to improve anyone's security or UX.
Recommend mxtoolbox for validating configurations https://mxtoolbox.com/
Specifically send a test email to ping@tools.mxtoolbox.com and it will advise you of your current settings.
Dmarcian has good resources on DMARC specifically, and can act as an RUA report reader as a paid service. https://dmarcian.com/alignment/