How to Set Up DMARC for Proton Mail
Complete guide to configuring DMARC for Proton Mail custom domains. Set up SPF, DKIM, and DMARC for full email authentication.
Proton Mail makes email authentication straightforward for custom domains. When you add a custom domain, Proton provides the exact DNS records you need for SPF, DKIM, and DMARC. This guide walks through the complete setup.
Prerequisites
Before starting:
- Proton Mail paid plan (Mail Plus, Proton Unlimited, or Business)
- A custom domain you own
- Access to your domain's DNS settings
Step 1: Add Your Custom Domain to Proton
If you haven't already added your domain:
- Log in to Proton Mail
- Go to Settings → Proton Mail → Domain names
- Click Add domain
- Enter your domain name
- Verify ownership (Proton provides a TXT record to add)
Step 2: Configure SPF for Proton Mail
Proton Mail provides the SPF record during domain setup.
The Proton SPF Record
Add this TXT record at your root domain:
v=spf1 include:_spf.protonmail.ch ~all
If you have other email services, combine them:
v=spf1 include:_spf.protonmail.ch include:sendgrid.net ~all
Verify SPF
Use SPF Record Check to verify your SPF is correctly configured.
Step 3: Configure DKIM for Proton Mail
Proton Mail uses three DKIM selectors for redundancy.
Get Your DKIM Records
- In Proton Mail settings, go to Domain names
- Click on your domain
- Find the DKIM section
- Proton provides three CNAME records
Add the DKIM CNAME Records
Add three CNAME records to your DNS:
Record 1:
| Field | Value |
|---|---|
| Type | CNAME |
| Host | `protonmail._domainkey` |
| Target | `protonmail._domainkey.xxxxxxx.domains.proton.ch` |
Record 2:
| Field | Value |
|---|---|
| Type | CNAME |
| Host | `protonmail2._domainkey` |
| Target | `protonmail2._domainkey.xxxxxxx.domains.proton.ch` |
Record 3:
| Field | Value |
|---|---|
| Type | CNAME |
| Host | `protonmail3._domainkey` |
| Target | `protonmail3._domainkey.xxxxxxx.domains.proton.ch` |
The exact target values are shown in your Proton Mail settings (the xxxxxxx part is unique to your domain).
Verify DKIM
Use DKIM Test with selector protonmail to verify your DKIM is working.
CNAME not TXT
Proton Mail uses CNAME records for DKIM, not TXT records. This allows them to manage key rotation automatically.
Step 4: Add Your DMARC Record
With SPF and DKIM configured, add your DMARC record.
Start with Monitoring
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
Add this as a TXT record at _dmarc.yourdomain.com:
| Field | Value |
|---|---|
| Type | TXT |
| Host/Name | `_dmarc` |
| Value | `v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com` |
Replace dmarc@yourdomain.com with an email address you control.
Verify the Record
Step 5: Verify in Proton Mail
After adding all records:
- Go to Settings → Domain names
- Click on your domain
- Proton shows the status of each record:
- Green checkmarks indicate properly configured records
- Red or orange indicators show issues to fix
Wait for DNS propagation if records don't verify immediately.
Complete DNS Record Summary
For Proton Mail with custom domain, you need:
| Record Type | Host | Purpose |
|---|---|---|
| TXT | `@` (root) | SPF authorization |
| CNAME | `protonmail._domainkey` | DKIM key 1 |
| CNAME | `protonmail2._domainkey` | DKIM key 2 |
| CNAME | `protonmail3._domainkey` | DKIM key 3 |
| TXT | `_dmarc` | DMARC policy |
| MX | `@` (root) | Mail routing (Proton provides these) |
Progress to Enforcement
After monitoring for 2-4 weeks and verifying all email passes:
Quarantine
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com
Reject
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com
Using Multiple Email Services
If you send email from services other than Proton Mail:
SPF
Add other services to your SPF record:
v=spf1 include:_spf.protonmail.ch include:sendgrid.net ~all
DKIM
Each service needs its own DKIM configuration. Add DKIM records from each service alongside Proton's DKIM records. Different selectors allow multiple services.
DMARC
One DMARC record covers all sending. Your policy applies to all email from your domain, regardless of which service sends it.
Catch-All Addresses
Proton Mail supports catch-all addresses for custom domains. This doesn't affect DMARC configuration—catch-all is for receiving, DMARC is for sending authentication.
Troubleshooting
DKIM Not Verifying
- Verify CNAME records point to the exact targets Proton provides
- Check for typos in the selector names
- Wait for DNS propagation (up to 48 hours)
- Some DNS providers have issues with underscores; contact support if needed
SPF Failures
- Ensure
include:_spf.protonmail.chis in your SPF record - Check you have only one SPF record
- Verify no syntax errors
Proton Shows Red Indicators
- Wait for DNS propagation after adding records
- Verify record values match exactly what Proton provides
- Check your DNS provider is correctly hosting the records
Sending from Proton Bridge
If using Proton Bridge for desktop email clients:
- SPF and DKIM work the same way
- Email sent through Bridge is authenticated identically to webmail
- No additional configuration needed
Proton Mail Business
For Proton Mail for Business:
- Domain setup is similar but accessed through admin console
- Multiple domains can be added
- Each domain needs its own SPF, DKIM, and DMARC records
- Subuser emails are automatically authenticated
Complete Checklist
- [ ] Domain added to Proton Mail account
- [ ] Domain ownership verified
- [ ] SPF TXT record added with
_spf.protonmail.ch - [ ] Three DKIM CNAME records added
- [ ] DMARC TXT record added at
_dmarc - [ ] All records showing green in Proton settings
- [ ] Test email sent and headers verified
- [ ] DMARC reports arriving
Monitor Your DMARC Records
Checking once is good. Monitoring continuously is better. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.
Never miss a DMARC issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring