Encrypted email service with custom domain support for businesses. This guide covers the complete email authentication stack for Proton Mail: SPF, DKIM, and DMARC. Each section gives you the exact DNS records, step-by-step instructions, common pitfalls, and how to verify your setup.
Authorize Proton Mail to send email on behalf of your custom domain by adding the correct SPF include.
TXT
@
v=spf1 include:_spf.protonmail.ch ~all
Proton Mail uses a .ch domain (Switzerland) for its SPF include.
Go to mail.proton.me and sign in with your Proton account (paid plan required for custom domains).
Go to Settings > All settings > Proton Mail > Domain names. Add your custom domain if not already added.
Proton Mail displays the SPF record as part of the domain setup wizard.
Add the SPF TXT record to your DNS.
v=spf1 include:_spf.protonmail.ch ~allClick "Verify" in Proton Mail settings. The platform will check your DNS records.
v=spf1 ~allv=spf1 include:_spf.protonmail.ch ~allAdd include:_spf.protonmail.ch to your SPF record. Note the .ch domain extension (Switzerland).
Proton Mail is a Swiss company (Proton AG) headquartered in Geneva. Their infrastructure uses the .ch (Switzerland) domain.
Yes. Custom domain support requires Proton Mail Plus or higher.
Enable DKIM for Proton Mail by publishing three CNAME records for the protonmail, protonmail2, and protonmail3 selectors.
CNAME
protonmail._domainkey
protonmail.domainkey.dxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.domains.proton.ch
Proton Mail provides three CNAME records with selectors protonmail, protonmail2, and protonmail3. Values are unique to your domain.
Go to mail.proton.me and sign in.
Go to Settings > All settings > Proton Mail > Domain names. Select your domain.
Proton Mail displays three CNAME records for DKIM in the domain setup wizard.
Create the three CNAME records in your DNS provider.
protonmail._domainkey.yourdomain.com CNAME protonmail.domainkey.dxxx...domains.proton.ch
protonmail2._domainkey.yourdomain.com CNAME protonmail2.domainkey.dxxx...domains.proton.ch
protonmail3._domainkey.yourdomain.com CNAME protonmail3.domainkey.dxxx...domains.proton.chClick "Verify" in Proton Mail. The platform checks all three CNAME records.
Proton Mail uses protonmail, protonmail2, and protonmail3 as DKIM selectors. All three are published as CNAME records.
Three selectors enable seamless DKIM key rotation. Proton can rotate keys without any downtime or DNS changes needed from you.
Yes. The CNAME-based setup allows Proton to manage key rotation on their infrastructure.
Publish a DMARC record to protect your custom domain when using Proton Mail.
TXT
_dmarc
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1
Proton Mail includes a DMARC record suggestion in the domain setup wizard.
Set up SPF (include:_spf.protonmail.ch) and DKIM (3 CNAME records) for Proton Mail first.
Proton Mail suggests a DMARC record during domain setup. You can customize it.
Add a TXT record at _dmarc.yourdomain.com.
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1Review DMARC aggregate reports. Proton Mail typically aligns well.
After confirming clean reports, move to p=quarantine and then p=reject.
Yes. Proton Mail provides SPF and DKIM alignment and includes a DMARC record suggestion in the domain setup wizard.
Yes. Proton Mail has strong authentication support. If it is your only email sender, p=reject is safe to use.
Yes. The domain setup wizard includes a step for DMARC and provides a suggested record value.
Once your SPF, DKIM, and DMARC records are in place, run a full domain scan to confirm everything is configured correctly. DNS changes typically propagate within minutes but can take up to 48 hours.