Anti-spoofing for Custom Domains (SPF, DKIM & DMARC)

While there are great benefits to email’s open and decentralized nature, this freedom also makes email easy to abuse. For example, any server connected to the internet can send an email to your friend pretending to be from you. Read on to see how we can protect your custom domain from these kinds of attacks.

SPF (strongly recommended)

The Sender Policy Framework (SPF) record basically tells the world which hosts or IPs are allowed to send email for your domain. When email servers receive an email that claims to be from your domain, they can look up your SPF record to see if the sending server is included. 

While not required, we strongly recommend that you set up an SPF record that includes ProtonMail. 

This will not only make your email seem more legitimate and thus less likely to be sent to spam folders, but it will also help protect your domain from attackers who send emails with forged headers pretending to be from you.

In your browser, log in to your ProtonMail account and go to SettingsOrganizationCustom domainsActionsReview button → SPF tab. 

Image of  SPF tab
This shows the recommended SPF record to add to your registrar’s domain management portal. You can click on the small icon to the left of the entry to Copy it to your system’s clipboard.

Image of Add a record
The “include:_spf.protonmail.ch” part of the text string means that you allow ProtonMail servers to send on behalf of your domain. If you want to keep an existing SPF record, simply add the “include:_spf.protonmail.ch” text string to it right of your existing record, after the “v=spf1”. The “mx” also includes your domain’s MX records.

The “~all” part means that if the email is sent from any servers not included in the text string, it will be treated as a SoftFail. This means that the receiving mail server will accept the email delivery but will mark it as SPF failed. The alternative is to use the “-all” (HardFail) parameter.

This will cause the email to be rejected, which can cause delivery problems for legitimate emails. For example, SPF often fails during email forwarding, where you send to address A, which automatically forwards to address B. Once we detect your domain’s SPF record includes ProtonMail, the SPF tab will show a green tick icon.

DKIM (recommended)

Domain Keys Identified Mail (DKIM) is a method of email authentication that cryptographically verifies if an email was sent by trusted servers and has not been tampered with. 

Basically, when a server sends an email using your domain, it will calculate an encrypted hash of the email contents using a private key (that only trusted servers know) and add it to the email headers as a DKIM signature. 

The receiving server will verify the email contents by looking up the corresponding public key in your domain’s DNS records, decrypting the encrypted hash, and calculating a new hash based on the email contents it received. It then compares the decrypted hash to the new hash. If there is a match, then the email has not been tampered with, and so DKIM passes. Otherwise, DKIM fails, and the email is treated with suspicion.

Please see Introducing DKIM key management for a more detailed look at this subject.

We use CNAME records to manage automatic DKIM key rotation, which is an accepted security best practice. We ask you to add and keep three CNAME records. This ensures there is always an active key used to provide an uninterrupted service while the other keys are automatically retired and recreated on a regular basis for improved security. 

It all sounds complicated, but implementing DKIM for your domain is simple in ProtonMail. It will take a couple of hours to verify your custom domain when you first change its DNS records for use with ProtonMail. Once your custom domain is verified, ProtonMail will generate the host names and values you will need for your domain’s DNS portal. It will then create the CNAME records necessary for automatic DKIM key rotation.

 We will send you an email notification informing you that your custom domain, host names, and values, are ready.

New users

In your browser, log in to your ProtonMail account and go to SettingsOrganizationCustom domainsActionsReview button → DKIM tab. 

Here you will see the three host names and values that you will need to add to your domain’s DNS settings. Once you have added these records, ProtonMail will handle the rest for you. Following current security best practices, we will generate a new 2048-bit key every six months and use it to sign your emails.

Image of DKIM tab
The CNAME records you add to your domain’s DNS settings must be an exact match with the ones shown in your setup wizard. Once we detect these records in your DNS, the DKIM tab will show a green tick icon. We will then notify you and start signing outgoing emails from your custom domain with DKIM, just like we do for other ProtonMail addresses.

IMPORTANT: Some registrars do not accept CNAME values with a period at the end (while others require it). If your registrar does not accept your CNAME records, delete the period at the end of each CNAME value and try again.

Users that currently use manual DKIM key rotation

We strongly advise everyone that currently uses manual DKIM key rotation to upgrade to the new automatic key rotation system. Not only will this remove the need for you to rotate your keys manually, but it will also automatically upgrade your key strength (if you were using 1024-bit keys).

If you have previously configured manual DKIM key rotation for your domain using a TXT record,you need to remove this record from the DNS settings before entering the CNAME records. 

You need to reconfigure your DNS settings with CNAME records because they allow us to set up automatic key rotation, while your current TXT record does not.

Once you have deleted this TXT record, you can follow the instructions for new users. DKIM will stop signing your emails once you delete the TXT record. To maintain DKIM protection, you should enter your CNAME Host Names and values into your DNS settings immediately.

DMARC (recommended)

While learning about SPF and DKIM (above), you may have wondered how the receiving server deals with an email that fails the checks. This is where Domain-based Message Authentication, Reporting, and Conformance (DMARC) comes in.

DMARC allows the domain owner to specify what happens with failed emails and get feedback when they arrive. Basically, there are three actions receiving servers can take if BOTH SPF and DKIM checks fail: none, quarantine, and reject.

Go to the DMARC tab in your ProtonMail domain management console. 

Image of  DMARC tab
Add the DMARC TXT Host Name and value string to your domain in your registrar’s domain management console.

Image of  Add DMARC string to registrar

The “p=” value specifies the action to take for emails that fail DMARC. The default setting is “none”. This basically means even if an email fails SPF or DKIM, your server will still accept the email as usual. However, to improve your security we recommend setting this value to “p=quarantine”, which tells the receiving server to send failed emails to the spam folder.

Once you are confident that your legitimate emails are passing DMARC, you may want to set it even more aggressively to “p=reject”. This tells the receiving server to not accept failed emails. We recommend using “p=reject” if you think you are likely to be a target for email spoofing. For example, Yahoo, PayPal, and eBay use “p=reject” to prevent spammers from impersonating them.

Another parameter is “rua=”, which specifies an email address where other email services can send aggregate reports so you can see how many of your emails are failing DMARC.

Please keep in mind, however, that there are risks in choosing more aggressive DMARC actions. For instance, when you email a mailing list that then forwards to individual recipients, this will break SPF. Annoyingly, some mailing lists also change the contents of the email, which breaks DKIM and causes DMARC to fail, creating delivery issues if you have set DMARC to quarantine or reject. This is why DMARC is set to none by default. 

Test Email

Once you have a custom domain set up, you can test it by sending an email using Mail Tester. Simply send an email using your custom domain address to the unique address shown on the Mail Tester web page. Then check your spammyness score. 

Image of test your email

If you have both SPF and DKIM set properly, you should be able to score 10/10!

Rate This Article

(19 out of 32 people found this article helpful)

About The Author

Post Comment

31 comments

  1. Mickey Anonymouse

    My registrar does not offer a field to enter in a “Host / Name”, which for the first TXT record you said is okay. But for DKIM you say that it’s essential to include ‘protonmail._domainkey’, but I have no way of doing that. So should I do DKIM at all or what?

  2. ProtonMail Support

    Please contact us at contact@protonmail.com

  3. Anonymous

    Hi all, thank you for creating and maintaining protonmail. My comment is on aesthetics. I understand that you need to cover the private data on the example pictures that you have used above, and I believe it is great that you use such step by step instructions with pictures: but those black rectangles you use to cover the actual names etc is so creepy and make the page ugly. What I would do would be make those impossible to read but not by black rectangles, rather crop out the actual names/data and then edit in something conspicuous like myname@mydomain .

    Details, I know, but I think it makes for a more user-friendly guide =)

    Best of luck with protonmail!

  4. Ann Omynous

    I did include the SPF line in my DNS zone file, it’s been up for a couple of days now, but it is still not detected by Protonmail, What should I do ?

  5. ProtonMail Support

    Please contact us on contact@protonmail.ch or via the Report Bug button.

  6. Does is Matter

    Hello I would like to change my business emails over to you via my own domain. However, the email records are with Godaddy. How hard will this be. Presently, I’m not happy with the vendor I have. Lot’s of security leaks. Someone is reading my emails and I’m getting really creepy emails from fake addresses and my exhusband is hacking into my business mail even though he’s supposed to be blocked. Rackspace is awful.

  7. ProtonMail Support

    Can you please send us the details at contact@protonmail.com?

  8. Daniel

    I needed to separate each section for DKIM with double quotes: “v=DKIM1; k=rsa;” “p=……..”

  9. Bruce

    This is an excellent tutorial. It’s very informative. Thank you.
    All of your tutorial examples show a TTL of 300 seconds. Are you recommending this? Should we really be preparing for value changes every 5 minutes? If you are making a recommendation, please include it in the setup wizard.
    Also, since many of us are new at this, it would be nice to see an explanation of the standard values like “v=spf1”, “v=DKIM1”, “v=DMARC1”, “k=rsa” and even HOST/NAME: “@”.

  10. ProtonMail Support

    Once your records have propagated and are verified, you can change the TTL to a higher number.
    Thank you for the suggestions, we will take them into consideration.

  11. J.Delta

    Hey guys,
    sorry to bother. I got a question regarding ChimpMail.com
    I use it from time to time to sent mails to large numbers of peole and was wondering if there might be a way to authenticate my mail Adress with protonmail?

    That’s what it says:
    Authenticate protonmail.com with MailChimp by modifying your domain’s DNS records. These changes allow your campaigns to appear to come from protonmail.com, instead of from our servers. After you’ve made the required DNS changes, please wait 24-48 hours for the changes to propagate.

    DKIM: Create a CNAME record for k1._domainkey.protonmail.com with this value:
    dkim.mcsv.net
    SPF: Create a TXT record for protonmail.com with:
    v=spf1 include:servers.mcsv.net ?all

    Can you help me?

  12. ProtonMail Support

    We cannot allow outside services to impersonate ProtonMail. You may be able to do this by adding a custom domain to your account.

  13. Phil

    Hi, I’ve had a custom domain attached to my protonmail pro account for a few months and yesterday I made changes to the DNS settings to allow for my wordpress page to use my domain. This morning, protonmail can’t verify my DNS.

    I’m using Godaddy.com to manage my domains. Previously, I could see my DNS records on the godaddy DNS management page, but now it says “We can’t display your DNS information because your nameservers aren’t managed by us.” To bypass this, I created a Template and added the MX record and 3 TXT records required for protonmail. Then, I applied the template to my domain. I downloaded the Zone File and confirmed that the 4 DNS records are present. I am concerned that this template does not have an “A” or “AAAA” DNS record. Is that required?

    Does this fix the problem? Do I need to wait a full 24 hours to find out? If not, what further action do I need to take?

    Update: I determined that since wordpress is providing my nameservers, the DNS records for my custom domain email should be located in the WordPress Domains section. At least that’s my understanding, because doing so validated my DNS in protonmail. My DKIM, SPF, and DMARC settings are still showing as not set up properly, even though I added those DNS records to the wordpress DNS records. Does this take 24 hours to show properly?

  14. Anonymous

    Hi,

    I have a question regarding field for DKIM “Host / Name”.
    What I should enter in this field?
    1. protonmail._domainkey
    OR
    2. protonmail._domainkey.mydomainname

    Should I put my domain name in this field? Or I should indicate only “protonmail._domainkey” verbatim et literatim as you mentioned?

    Please clarify
    Thanks!

  15. ProtonMail Support

    You just need to enter “protonmail._domainkey”, without the domain name (and without the quotes).

  16. Anonymous

    My Hosting service automatically adds mydomainname at the end of the name field like

    protonmail._domainkey.mydomainname
    NOT
    protonmail._domainkey

    What should I do?

  17. ProtonMail Support

    protonmail._domainkey.mydomainname should also work and it should be properly detected by ProtonMail. If you need further assistance, please contact our support team at contact@protonmail.ch, support@protonmail.ch, via the report bug button or using the support form at https://protonmail.com/support-form.

  18. Trudy

    ‘spf.protonmail.[hidden]. 14400 IN TXT
    v=spf1 include:_spf.protonmail.ch mx ~all’
    i has made an txt with the above row. My question: is the part ‘ spf.protonmail.[hidden]’ right?

  19. ProtonMail Support

    The Name/Host field should contain only @, the domain name – for example, domain.com, or just leave it blank. If you need further assistance, please contact our support team at https://protonmail.com/support-form.

  20. David

    Your screen shots show “what” to change, but I don’t see any information on HOW to get to those settings screens!

    Also I would call out that on SPF records the correct format is “~all” *tilde* “all”, not hyphen or dash then “all”. That screwed me up for a while.

  21. ProtonMail Support

    DNS settings are edited at your domain registrar or DNS provider.

    Regarding the qualifier in the SPF records, all are actually valid, depending on what you want to achieve: https://en.wikipedia.org/wiki/Sender_Policy_Framework#Qualifiers.

  22. xavier

    Hi,

    I’m receiving some emails with a DMARC Aggregate Report. Sadly nothing to explain what’s going on.
    Do I need to change something in my pm setting?

    Thanks

  23. ProtonMail Support

    You can use a tool like https://dmarcian.com/xml-to-human-converter/ to help with reading the DMARC reports.

  24. Vincent Herriau

    How does one implement a custom forward filter, which will forward incoming email to select addresses, based on specific filtering criteria being met.
    Apparently, the filters and the SIEVE language allow incoming mail to be labelled and to be assigned to custom mailboxes. I could not find commands that had that mail forwarded.

  25. ProtonMail Support

    Automatic forwarding is not supported due to the encryption we utilize.

  26. Chris Forker

    Hi, can I transfer a domain to you for email hosting?

  27. ProtonMail Support

    Yes, you can. You can read more on the link below or contact our support team.
    https://protonmail.com/support/knowledge-base/set-up-a-custom-domain/
    https://protonmail.com/support-form

  28. Xavier

    Any ideas why I am receiving those reports at all?

  29. ProtonMail Support

    If you have a custom domain and a DMARC record set up, reports will be sent to the address in the record. DMARC reports can be received as routine reports, not necessarily linked to any emails failing the anti-spoofing checks.

  30. Christopher Kight

    I am having issues adding the SPF information with google domains.

    There is already a TXT entry with @ as the host for the verification line.
    It allows me to add the “v=spf1 include:_spf.protonmail.ch mx ~all” as an additional line on that, but it won’t let me have two TXT entries with the same host.

    Have I overlooked something obvious?

  31. ProtonMail Support

    There should be a little + icon next to your verification record. When you click it, a new field will open under the existing one, where you can insert the SPF record.
    https://protonmail.com/support/knowledge-base/dns-records-google-domains/

Leave A Comment?