To use custom domains within ProtonMail, you must have control of the domain’s Domain Name System (DNS) records. DNS records are basically public information about your domain that other web servers look up to see how to communicate with your domain. Typically, you can change your DNS records (or DNS Zone File) on your domain registrar’s website or wherever you host your name servers. For example, let’s say we bought funoccupied.com through the registrar namecheap.com. We can then go to namecheap.com‘s Domain List -> funoccupied.com -> Advanced DNS and edit DNS records there (see below). The process is similar for other registrars. Below you can see where to update the DNS for namecheap.com.
Once a DNS change has been made, then DNS lookups by other web servers will now find the new records. However, this change may take some time to propagate since the old DNS records can still be cached across the Internet. The Time to Live (TTL) setting controls how long DNS records are cached and we suggest setting it to a low number (1 hour or less) if possible during setup. Some domain registrars do not allow setting such a low number, you can search your domain registrar and “TTL” to learn more about their restrictions.
To get started, please navigate to the Add Custom Domain button under the Domains tab within the Settings.
Note: If your DNS does not allow you to add “@” as the hostname, please try leaving this field blank when you enter the ProtonMail verification information.
The first thing we have to do after adding a custom domain name is to show ProtonMail that you control this domain. This is done by adding a TXT record with a unique code that ProtonMail has generated for your domain. ProtonMail servers will then look up all the TXT records for your domain and see if any matches the verify code. If we find a match, then verification succeeds and you are allowed to move on to the other steps.
An example of a Verify TXT record:
In Settings -> Domains, click on the Verification button next to your custom domain name to enter the setup wizard and find the unique verification code. After you added this TXT record* to your DNS, wait a few minutes then click Verify to trigger a DNS check by our servers. If it succeeded, you can now move on to the next steps. If it did not succeed, do not worry; it is possible that our servers are still reading old cached DNS records. Wait an hour and come back to the same page to see if it succeeded; this can take up to a day depending on your TTL setting. If it still doesn’t succeed and you have doubled checked your DNS matches the code in the setup wizard, please contact our customer support for assistance.
* Please note: some hosting providers do not provide a field for the “Host/Name,” if this is the case please provide all other information and ignore the “Host/Name” in the Verify step.
After the first verification, our servers will periodically check your domain’s DNS records and update the status of your domain. It is important you keep the right verification code in your DNS and quickly fix any DNS issues that come up. After your domain is all set up, if we detect missing DNS records, such as the verify record, we will warn you for a week before disabling your domain and its addresses.
After this you will be asked what encryption strength you want to use for the keys that will be generated for your account. The default is High Security (2048-bit), and you can choose the Highest Security (4096-bit). When you choose the encryption level click on the Generate Keys button:
The mail exchanger (MX) record is vital for email operation: it tells the Internet which server(s) should receive your domain’s email. If your domain is currently active and receiving email, we recommend you add all used email addresses before switching MX record to ProtonMail. This is to avoid disruption to your email delivery because ProtonMail will only accept mail for addresses that you have added.
Note: If you have MX records for multiple services, the email will be delivered to the service with the highest priority (lowest value).
The MX record to add is:
Mail.protonmail.ch points to ProtonMail’s mail servers, so once you have made this change, you are telling the Internet to send email for your domain to ProtonMail. If you have other MX records, you should either delete them or make sure mail.protonmail.ch‘s priority is a smaller number (higher priority) than the other MX records. This is because mail servers will try to send to the smallest priority one first and if it fails, try the next smallest.
Again, it may take up to a day for MX changes to propagate and email may still go to your old MX during this transition. Once we detect your domain’s top MX record is pointing to ProtonMail, the MX button in Settings -> Domains will turn green.
Now that you have finished all the required steps for custom domain setup, we can explore Anti-spoofing for Custom Domains (SPF, DKIM & DMARC). These are widely adopted methods that protect your email delivery and prevent email spoofing. Learn more here.