They don't really need a TLS cert for your domain - they don't host your website; the MX record in your domain just points at a host in one of their domains (for which they have the TLS certificate); and the 'mail.yourdomain' address just redirects to https://www.fastmail.com.