Anti-spoofing for Custom Domains (SPF, DKIM & DMARC)

While there are great benefits to email’s open and decentralized nature, this freedom also makes email easy to abuse. For example, any server connected to the internet can send an email to your friend pretending to be from you. Read on to see how we can protect your custom domain from these kinds of attacks.

 

SPF (strongly recommended)

The Sender Policy Framework (SPF) record basically tells the world what hosts or ip’s are allowed to send email for your domain. When email servers receive email that claims to be from your domain, they can look up your SPF record and if the sending server is included. While not required, we strongly recommend you set up a SPF record that includes ProtonMail. This will not only make your email seem more legitimate and thus less likely to be sent to spam folders, but it will also help protect your domain from attackers who send emails with forged headers pretending to be you.

SPF settings for ProtonMail

The recommended SPF record to add is:

SPF settings for ProtonMail

 

The “include:_spf.protonmail.ch” means you allow the servers of ProtonMail to send on behalf of your domain. If you want to keep an existing SPF record, simply add the “include:_spf.protonmail.ch” to it right after the “v=spf1”. The “mx” also includes your domain’s MX records. The “~all” means any other servers not included should be treated as a softfail, which means accept the email but marks it as SPF failed. This is better than “-all”, which would reject emails that failed SPF, and cause delivery problems for certain legitimate emails. For example, SPF often fail during email forwarding where you send to address A, which automatically forwards to address B.Once we detect your domain’s SPF record includes ProtonMail, the SPF button in Settings->Domains will turn green.

 

DKIM (recommended) 

Domain Keys Identified Mail (DKIM) is a method of email authentication that cryptographically verifies if an email is sent by trusted servers and untampered. Basically, when a server sends an email for your domain, it will calculate an encrypted hash of the email contents using a private key (that only trusted servers know) and add it to the email headers as a DKIM signature. The receiving server will verify the email contents by looking up the corresponding public key in your domain’s DNS records, decrypting the encrypted hash, calculating a new hash based on the email contents it received, and see if the decrypted hash matches the new hash. If there is a match, then the email must not have changed and so DKIM passes. Otherwise, DKIM fails and the email is treated with suspicion.
It all sounds complicated but implementing DKIM for your domain is extremely easy in ProtonMail. Once you have successfully verified your custom domain, ProtonMail will generate a DKIM key pair and show you the TXT record to add if you want to enable DKIM signing. This record contains the public key and is different for every domain.

DKIM settings for ProtonMail

An example of a DKIM TXT record:

DKIM settings for ProtonMail

Notice that unlike previous DNS records, the Host / Name is no longer blank or @. It is important you add the value exactly as shown in your setup wizard and once we detect this record in your DNS, the DKIM button in Settings->Domains will turn green. We will then automatically notify you and start signing outgoing emails from your custom domain with DKIM just like we do for other ProtonMail addresses.
If you ever want to stop DKIM signing for your custom domain, simply change the DKIM TXT record you added to off.

Once we detect this change, we will automatically notify you and turn off DKIM signing for your custom domain.

 

DMARC (optional) 

As you were learning about SPF and DKIM, you may have wondered what exactly should the receiving server do if it gets an email which failed the checks. This is where Domain-based Message Authentication, Reporting and Conformance (DMARC) comes in to allow the domain owner to specify what should happen with failed emails as well as get feedback. Basically, there are three actions for receiving servers to take if BOTH SPF and DKIM checks fail: none, quarantine, and reject.

DMARC settings for ProtonMail

A basic DMARC TXT record:

DMARC settings for ProtonMail

 

The “p=” specifies the action to take for emails that fail DMARC and here, “none” basically means don’t do anything, accept the email as usual. The “rua=” is an optional parameter that specifies an email address where other email services can send aggregate reports to so you can see how many of your emails are failing DMARC.Once you are confident your legitimate emails are passing DMARC (either SPF passes or DKIM passes), then you may want to set “p=quarantine”, which tells the receiving server to send failed emails to the spam folder. Even more aggressively, you can set “p=reject” to tell the receiving server to not accept failed emails.We recommend working towards “p=quarantine” or even “p=reject” if you think you are likely to be a target of spoofing. For example, Yahoo, PayPal, and eBay uses “reject” to prevent spammers from impersonating them.

However, keep in mind there are risks for choosing these actions. For instance, when you email a mailing list which then forwards to individual recipients, this will break SPF. Annoyingly, some mailing lists also change the contents of the email, which breaks DKIM, causing DMARC to fail and thus delivery issues if you have quarantine or reject.

 

Test Email           

Once you have custom domain set up, you can test sending email with https://www.mail-tester.com. Send an email using your custom domain address to the unique address on mail-tester.com and check your spammy-ness score. If you have both SPF and DKIM set properly, you should be able to score 10/10!

 

Rate This Article

(9 out of 17 people found this article helpful)
Post Comment

17 comments

  1. Mickey Anonymouse

    My registrar does not offer a field to enter in a “Host / Name”, which for the first TXT record you said is okay. But for DKIM you say that it’s essential to include ‘protonmail._domainkey’, but I have no way of doing that. So should I do DKIM at all or what?

  2. ProtonMail Support

    Please contact us at contact@protonmail.com

  3. Anonymous

    Hi all, thank you for creating and maintaining protonmail. My comment is on aesthetics. I understand that you need to cover the private data on the example pictures that you have used above, and I believe it is great that you use such step by step instructions with pictures: but those black rectangles you use to cover the actual names etc is so creepy and make the page ugly. What I would do would be make those impossible to read but not by black rectangles, rather crop out the actual names/data and then edit in something conspicuous like myname@mydomain .

    Details, I know, but I think it makes for a more user-friendly guide =)

    Best of luck with protonmail!

  4. Ann Omynous

    I did include the SPF line in my DNS zone file, it’s been up for a couple of days now, but it is still not detected by Protonmail, What should I do ?

  5. ProtonMail Support

    Please contact us on contact@protonmail.ch or via the Report Bug button.

  6. Does is Matter

    Hello I would like to change my business emails over to you via my own domain. However, the email records are with Godaddy. How hard will this be. Presently, I’m not happy with the vendor I have. Lot’s of security leaks. Someone is reading my emails and I’m getting really creepy emails from fake addresses and my exhusband is hacking into my business mail even though he’s supposed to be blocked. Rackspace is awful.

  7. ProtonMail Support

    Can you please send us the details at contact@protonmail.com?

  8. Daniel

    I needed to separate each section for DKIM with double quotes: “v=DKIM1; k=rsa;” “p=……..”

  9. Bruce

    This is an excellent tutorial. It’s very informative. Thank you.
    All of your tutorial examples show a TTL of 300 seconds. Are you recommending this? Should we really be preparing for value changes every 5 minutes? If you are making a recommendation, please include it in the setup wizard.
    Also, since many of us are new at this, it would be nice to see an explanation of the standard values like “v=spf1”, “v=DKIM1”, “v=DMARC1”, “k=rsa” and even HOST/NAME: “@”.

  10. ProtonMail Support

    Once your records have propagated and are verified, you can change the TTL to a higher number.
    Thank you for the suggestions, we will take them into consideration.

  11. J.Delta

    Hey guys,
    sorry to bother. I got a question regarding ChimpMail.com
    I use it from time to time to sent mails to large numbers of peole and was wondering if there might be a way to authenticate my mail Adress with protonmail?

    That’s what it says:
    Authenticate protonmail.com with MailChimp by modifying your domain’s DNS records. These changes allow your campaigns to appear to come from protonmail.com, instead of from our servers. After you’ve made the required DNS changes, please wait 24-48 hours for the changes to propagate.

    DKIM: Create a CNAME record for k1._domainkey.protonmail.com with this value:
    dkim.mcsv.net
    SPF: Create a TXT record for protonmail.com with:
    v=spf1 include:servers.mcsv.net ?all

    Can you help me?

  12. ProtonMail Support

    We cannot allow outside services to impersonate ProtonMail. You may be able to do this by adding a custom domain to your account.

  13. Phil

    Hi, I’ve had a custom domain attached to my protonmail pro account for a few months and yesterday I made changes to the DNS settings to allow for my wordpress page to use my domain. This morning, protonmail can’t verify my DNS.

    I’m using Godaddy.com to manage my domains. Previously, I could see my DNS records on the godaddy DNS management page, but now it says “We can’t display your DNS information because your nameservers aren’t managed by us.” To bypass this, I created a Template and added the MX record and 3 TXT records required for protonmail. Then, I applied the template to my domain. I downloaded the Zone File and confirmed that the 4 DNS records are present. I am concerned that this template does not have an “A” or “AAAA” DNS record. Is that required?

    Does this fix the problem? Do I need to wait a full 24 hours to find out? If not, what further action do I need to take?

    Update: I determined that since wordpress is providing my nameservers, the DNS records for my custom domain email should be located in the WordPress Domains section. At least that’s my understanding, because doing so validated my DNS in protonmail. My DKIM, SPF, and DMARC settings are still showing as not set up properly, even though I added those DNS records to the wordpress DNS records. Does this take 24 hours to show properly?

  14. Anonymous

    Hi,

    I have a question regarding field for DKIM “Host / Name”.
    What I should enter in this field?
    1. protonmail._domainkey
    OR
    2. protonmail._domainkey.mydomainname

    Should I put my domain name in this field? Or I should indicate only “protonmail._domainkey” verbatim et literatim as you mentioned?

    Please clarify
    Thanks!

  15. ProtonMail Support

    You just need to enter “protonmail._domainkey”, without the domain name (and without the quotes).

  16. Anonymous

    My Hosting service automatically adds mydomainname at the end of the name field like

    protonmail._domainkey.mydomainname
    NOT
    protonmail._domainkey

    What should I do?

  17. ProtonMail Support

    protonmail._domainkey.mydomainname should also work and it should be properly detected by ProtonMail. If you need further assistance, please contact our support team at contact@protonmail.ch, support@protonmail.ch, via the report bug button or using the support form at https://protonmail.com/support-form.

Leave A Comment?