A record for mail.mydomain.com?
 

As FM recommends, my custom domain has its DNS hosted by FM, with an A record that points to the IP address of my web host (external to FM). This has worked well for many years.

Today I received an email from my webhost telling me that the automatic renewal of my SSL certificate was not valid for the subdomain mail.mydomain.com because it points to an IP address that is not on the same server as mydomain.com].

I looked at the DNS records at FM, and I noticed that there is an A record for mail.mydomain.com that points to FM (so the SSL error message makes sense).

This leads me to wonder what the purpose is of an A record for mail.mydomain.com. I can't imagine ever wanting anyone to try to visit that URL.

Is there any reason I can't just turn off that A record?

I managed several Tuffmail-based domains for ~15 years with only MX and anti-spam-verification (like TXT, SRV, maybe CNAME, maybe SRV?) DNS records. Of these domains, I never had one that contained website-specific, A or AAAA records.

This leads me to think that web-related (https://) A and AAAA records are unnecessary for Fastmail, unless you're leveraging Fastmail's web user interface (to perform non-IMAP, non-SMTP, web-only logins to the https//mail.mydomain.com webpage) with your custom domains -- which sounds like something you are specifically not doing. As such, I would feel comfortable deleting the 'mail.*' A and AAAA records and running a few tests to confirm email's still working -- but only after getting some additional feedback on this thread, just as you're doing. :-)

I just took a look at one of my Fastmail-DNS-hosted domains (I recently did the Tuffmail-->Fastmail move per Tuffmail shutting down) whose records retain all the Fastmail-configured default settings, and I see nothing there that would change my thinking.

I'm sure there's others on here that may be able to offer better or more-experienced feedback.

As I understand it, the A record for mail.domian.com tends usually only to be used for services like OWA that allow browser access to the mail service. However, I have a vague memory that Fastmail used to allow you to connect to the Fastmail logon page by going to mail.yourdomain.com if everything is correctly set up. Have you tried this for your domain? If my recollection is correct, you will only lose that specific functionality if mail.yourdomain.com A records and SSL are not set up correctly.

Thanks for the reply.

When I go to mail.mydomain.com in Chrome, I first get the warning about it being insecure (because of the lack of SSL). If I click through and tell Chrome "go there anyway," I get this message:

mail.mydomain.com normally uses encryption to protect your information. When Chrome tried to connect to mail.mydomain.com this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be mail.mydomain.com or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Chrome stopped the connection before any data was exchanged.

You cannot visit mail.mydomain.com right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.

I doubt it will work later, because my web host's automatic SSL certificate renewal process failed with mail.mydomain.com as I explained in my original post.

Anyway, I have no need for mail.mydomain.com, so I'll just turn it off in FM's DNS settings.