DNS Records for custom domains (Verify & MX Record)

To use custom domains within ProtonMail, you must have control of the domain’s Domain Name System (DNS) records. DNS records are basically public information about your domain that other web servers look up to see how to communicate with your domain. Typically, you can change your DNS records (or DNS Zone File) on your domain registrar’s website or wherever you host your name servers. For example, let’s say we bought funoccupied.com through the registrar namecheap.com. We can then go to namecheap.com‘s Domain List -> funoccupied.com -> Advanced DNS and edit DNS records there (see below). The process is similar for other registrars. Below you can see where to update the DNS for namecheap.com.

Update DNS on namecheap.com

Once a DNS change has been made, then DNS lookups by other web servers will now find the new records. However, this change may take some time to propagate since the old DNS records can still be cached across the Internet. The Time to Live (TTL) setting controls how long DNS records are cached and we suggest setting it to a low number (1 hour or less) if possible during setup. Some domain registrars do not allow setting such a low number, you can search your domain registrar and “TTL” to learn more about their restrictions.

To get started, please navigate to the Add Custom Domain button under the Domains tab within the Settings.

Add custom domain

Add a custom domain screen

Enter your Login password
Modify the DNS settings on your registrar

 

Note: If your DNS does not allow you to add “@” as the hostname, please try leaving this field blank when you enter the ProtonMail verification information.

Verify

The first thing we have to do after adding a custom domain name is to show ProtonMail that you control this domain. This is done by adding a TXT record with a unique code that ProtonMail has generated for your domain. ProtonMail servers will then look up all the TXT records for your domain and see if any matches the verify code. If we find a match, then verification succeeds and you are allowed to move on to the other steps.

Verify Custom Domains

 

An example of a Verify TXT record:

Enter the verification code on your registrar

 

In Settings -> Domains, click on the Verification button next to your custom domain name to enter the setup wizard and find the unique verification code. After you added this TXT record* to your DNS, wait a few minutes then click Verify to trigger a DNS check by our servers. If it succeeded, you can now move on to the next steps. If it did not succeed, do not worry; it is possible that our servers are still reading old cached DNS records. Wait an hour and come back to the same page to see if it succeeded; this can take up to a day depending on your TTL setting. If it still doesn’t succeed and you have doubled checked your DNS matches the code in the setup wizard, please contact our customer support for assistance.

* Please note: some hosting providers do not provide a field for the “Host/Name,” if this is the case please provide all other information and ignore the “Host/Name” in the Verify step.

After the first verification, our servers will periodically check your domain’s DNS records and update the status of your domain. It is important you keep the right verification code in your DNS and quickly fix any DNS issues that come up. After your domain is all set up, if we detect missing DNS records, such as the verify record, we will warn you for a week before disabling your domain and its addresses.

Add custom domain addresses

After this you will be asked what encryption strength you want to use for the keys that will be generated for your account. The default is High Security (2048-bit), and you can choose the Highest Security (4096-bit). When you choose the encryption level click on the Generate Keys button:

Choose the encryption for the added addresses

Generating the custom domain address keys

MX Record

The mail exchanger (MX) record is vital for email operation: it tells the Internet which server(s) should receive your domain’s email. If your domain is currently active and receiving email, we recommend you add all used email addresses before switching MX record to ProtonMail. This is to avoid disruption to your email delivery because ProtonMail will only accept mail for addresses that you have added.

MX record screen

The MX record to add is:

Modify the MX records on your domain

 

Mail.protonmail.ch points to ProtonMail’s mail servers, so once you have made this change, you are telling the Internet to send email for your domain to ProtonMail. If you have other MX records, you should either delete them or make sure mail.protonmail.ch‘s priority is a smaller number (higher priority) than the other MX records. This is because mail servers will try to send to the smallest priority one first and if it fails, try the next smallest.

Again, it may take up to a day for MX changes to propagate and email may still go to your old MX during this transition. Once we detect your domain’s top MX record is pointing to ProtonMail, the MX button in Settings -> Domains will turn green.

Now that you have finished all the required steps for custom domain setup, we can explore Anti-spoofing for Custom Domains (SPF, DKIM & DMARC). These are widely adopted methods that protect your email delivery and prevent email spoofing. Learn more here.

 

 

Rate This Article

(5 out of 15 people found this article helpful)
Post Comment

41 comments

  1. Frederic De Mees

    You say: make sure mail.protonmail.ch‘s priority is a smaller number (higher priority) than the other MX records
    This is not correct. Other MX *must* be removed, otherwise some deliveries will still occur to the backup MX. The backup MX will deliver mail to the old mailboxes or reject mail. Both options are bad.
    Some massmailings do not respect the priorities.
    In case of a network outage (ddos ?) targeting Protonmail all e-mail would also be misdirected instead of queued at the senders server.

  2. ProtonMail Support

    This may happen with some of the registrars. We recommend to have only ProtonMail MX record, but in case you leave the other record, ProtonMail must have the highest priority.

  3. David M

    Shouldn’t it be mail.protonmail.ch. (with a final dot) ?
    My registrar (gandi.net) requires it.

  4. Anonymous

    Very big thanks for your comment. Helped me solve my MX issue. regards

  5. JohnnyG

    is it possible to have a custom domain mirror another domain?
    for example: I want mydomain2.com to be a mirror of mydomain1.com
    or do I have to setup 2 domains separately?

  6. John Smith

    fantastic, wasn’t very easy to understand since I had to edit what looked like a simple txt file on a webpage. For those in the same situation, format should be :

    yourdomainname MX 10 protonmail.ch.
    protonmail._domainkey.yourdomainname 28800(not sure about the number but it showed this way) TXT “v=DKIM1; k=rsa; p=yourgeneratedkey”

    _dmarc.yourdomainname 28800 TXT “v=DMARC1; p=none; rua=mailto:yourmail

    Do not forget the ” “, normally it should warn you because of a wrong syntax.

  7. Francisco Abreu

    My registar only accepts MX records pointing to mail.protonmail.ch. (with a period in the end). I have included that but ProtonMail is not recognizing it. Please advise.

  8. ProtonMail Support

    Please contact us on contact@protonmail.ch or via the Report bug button.

  9. Michel

    Im unable to create a custom record for “@”. My ISP forces me to use my domain name followed by a dot. What should I do?

  10. ProtonMail Support

    You can use the domain name instead of @. For more information please contact us on contact@protonmail.ch or via the Report bug button.

  11. alex

    I get the following. My DNS allows TXT | Host | Content | blank text field |

    I enter in TXT | @ | copy paste | 10 (assuming TTL) |

    I get error

    Domain record name needs to end with the domain name string.

  12. ProtonMail Support

    Please contact us on contact@protonmail.ch or via the Report bug button.

  13. Anonymous

    Great, but how do I add the code to my DNS? This is prolly a very noob question, since clearly you assume that anyone doing this is well aware of how to do it… how about consider us who actually don’t.

  14. ProtonMail Support

    Can you please contact us at contact@protonmail.com if you are still experiencing this issue?

  15. Anonymous

    Some registrars use the BIND format for zone files in DNS thus requiring a “dot” at the end.

  16. ProtonMail Support

    Hi,
    Do you have trouble setting up your domain? If so, please contact us at contact@protonmail.com.

  17. Atheoz

    Sending to/from my email on my own domain works just fine, it’s just ProtonMail that says MX and SPF isn’t set up properly. Which is weird…

  18. ProtonMail Support

    Sorry to hear that. Can you please send all the details to contact@protonmail.com?

  19. stie

    Hi. The recommendation to set the TTL to 1 hour or less could lead to a potential security issue, in the event that one’s registrar account gets compromised, as it happened to someone using godaddy + paypal without him being at fault (see https://medium.com/@N/how-i-lost-my-50-000-twitter-username-24eb09e026dd#.e75z9ooq3): should it happen, he would have only one hour or less to react, which is not enough in some circumstances, as was the case with this example of things turning bad. Therefore, I would recommend to eventually set it TEMPORARILY to one hour or less during setup in order to speed it up and reset it afterwards to a safer – meaning larger – TTL value.

  20. Greg Raven

    After the new MX information propagates, you can set the TTL back to whatever you want. Also, some registrars automatically reset TTL to their preferred value(s) after you make your temporary change for the transition.

  21. Valerie Patterson

    I don’t know where or how to enter the txt record? I have gone through the settings on the account page and the settings on my computer. I am really beginning to wonder if this is worth the extra money- as I am growing increasingly frustrated with the lack of actual step by step instructions.

  22. ProtonMail Support

    You can change your DNS records (or DNS Zone File) on your domain registrar’s website.

  23. bt

    I have problem with MX setup – my registrar requires minimum two server names (ex. mail.protonmail.ch and other mail01.protonmail.ch (?)). Otherwise it’s not possible to save MX form…

  24. Bob

    I am not seeing where to paste in the verification code…

  25. ProtonMail Support

    You will need to add the verification code in your domain registrar’s DNS settings. If you need any assistance please contact our support team at contact@protonmail.com or using the support form at https://protonmail.com/support-form.

  26. Serge

    Greetings,
    I don’t know how to fix it. Help me, please 🙁

    It more than 1 day has gone since the time I’ve tried to add a custom domain – pm-ba.pro
    I’ve followed to every step of instruction according to the new domain add option and still have no success 🙁
    Could you please help me to resolve an issue I caught?

    When I’m pressing verify button I get an error alert. Please see it in the screenshot attached.
    It’s extremely important for me to get an access to this domain because my work has stopped without it.
    I would be extremely thankful if you could help me to solve this question ASAP

  27. Proton Editor

    For assistance with your custom domain, please contact us at contact@protonmail.ch, via the report bug button or using the support form at https://protonmail.com/support-form.

  28. Anton

    Greetings,
    why is there no backup server for mx record? I mean something like “20 mailbackup.protonmail.ch”

  29. ProtonMail Support

    If you want to set up a backup MX record, you can use mailsec.protonmail.ch for the server.

  30. Jayadvaita Dasa

    Is valid to make domain .com.br?

  31. ProtonMail Support

    You can add any custom domain to a ProtonMail account as long as you have access to the domain’s DNS settings.

  32. Richard

    For me the article above is unclear as it does not clearly identify what edits / changes are to be made on the domain registrars website, viz
    “We can then go to namecheap.com‘s Domain List -> funoccupied.com -> Advanced DNS and edit DNS records there (see below).” The image ‘below’ this sentence is unreadable to me. Am I supposed to discern the text changes / edits from this figure?
    It is not clear in the text after this if the focus then changes to the settings in Protonmail? For example:
    “To get started, please navigate to the ‘Add Custom Domain’ button under the Domains tab within the (Protonmail???) Settings.”

  33. ProtonMail Support

    The first image shows where you can find the DNS settings if using Namecheap and is just used as an example. It (or any values contained within) should not be used to set up your own domain.
    Once you purchase a domain, you need to add it to your ProtonMail account and then add the newly generated ProtonMail verification code and the MX record to the domain DNS settings. If you are having trouble setting up a custom domain, please contact our support team at https://protonmail.com/support-form.

  34. Joe Bartlett

    When can I remove the verification TXT record?

  35. ProtonMail Support

    The verification TXT record should remain active for the entire time you want your custom domain to be active on your ProtonMail account. Removing the verification TXT record will cause your domain to no longer be verified in ProtonMail.

  36. Douglas Becker

    In adding custom domains, I have an error on MX and SPF and need help.

    In the MX record, the host is my URL instead of the @ and there’s no way to force it? Is this a problem? The MX record itself has:

    Priority: 10
    Destination: mail.protonmail.ch

    just like in the instructions.

    The SPF TXT record also does not allow @ and there was an existing v=spf1, so I made it like this:

    v=spf1 include:_spf.protonmail.ch +a +mx +ip4:104.168.156.109 +ip4:104.168.156.131 ~all

    How can this be fixed?

  37. ProtonMail Support

    If your registrar does not allow @ or leaving the field blank, then your domain name will also work, for example domain.com. For further assistance, please contact our support team using the support form at https://protonmail.com/support-form, via the report bug button or at contact@protonmail.ch and support@protonmail.ch.

  38. bynarie

    Trying to add domain to proton mail via TXT verification… It fails everyrtime… Been trying since last night. Anyway to get my BTC back and full refund? This is way too complicated.

  39. ProtonMail Support

    Please contact our support team using the support form at https://protonmail.com/support-form, via the report bug button or at contact@protonmail.ch and support@protonmail.ch.

  40. Tim

    Hi my Domain Name provider is insisting that the TXT value to be added for domain ownership verification is enclosed in quotes. I have waited 24 hours and its not working. Are the quotes an issue, and should it work with an xxx.xxx.name domain?

  41. ProtonMail Support

    Please contact our support team: https://protonmail.com/support-form.

Leave A Comment?