DNS Records for custom domains (Verify & MX Record)

To use custom domains within ProtonMail, you must have control of the domain’s Domain Name System (DNS) records. DNS records are basically public information about your domain that other web servers look up to see how to communicate with your domain. Typically, you can change your DNS records (or DNS Zone File) on your domain registrar’s website or wherever you host your name servers. For example, let’s say we bought funoccupied.com through the registrar namecheap.com. We can then go to namecheap.com‘s Domain List -> funoccupied.com -> Advanced DNS and edit DNS records there (see below). The process is similar for other registrars. Below you can see where to update the DNS for namecheap.com.

Update DNS on namecheap.com

Once a DNS change has been made, then DNS lookups by other web servers will now find the new records. However, this change may take some time to propagate since the old DNS records can still be cached across the Internet. The Time to Live (TTL) setting controls how long DNS records are cached and we suggest setting it to a low number (1 hour or less) if possible during setup. Some domain registrars do not allow setting such a low number, you can search your domain registrar and “TTL” to learn more about their restrictions.

To get started, please navigate to the Add Custom Domain button under the Domains tab within the Settings.

Add custom domain

Add a custom domain screen

Enter your Login password
Modify the DNS settings on your registrar

 

Note: If your DNS does not allow you to add “@” as the hostname, please try leaving this field blank when you enter the ProtonMail verification information.

Verify

The first thing we have to do after adding a custom domain name is to show ProtonMail that you control this domain. This is done by adding a TXT record with a unique code that ProtonMail has generated for your domain. ProtonMail servers will then look up all the TXT records for your domain and see if any matches the verify code. If we find a match, then verification succeeds and you are allowed to move on to the other steps.

Verify Custom Domains

 

An example of a Verify TXT record:

Enter the verification code on your registrar

 

In Settings -> Domains, click on the Verification button next to your custom domain name to enter the setup wizard and find the unique verification code. After you added this TXT record* to your DNS, wait a few minutes then click Verify to trigger a DNS check by our servers. If it succeeded, you can now move on to the next steps. If it did not succeed, do not worry; it is possible that our servers are still reading old cached DNS records. Wait an hour and come back to the same page to see if it succeeded; this can take up to a day depending on your TTL setting. If it still doesn’t succeed and you have doubled checked your DNS matches the code in the setup wizard, please contact our customer support for assistance.

* Please note: some hosting providers do not provide a field for the “Host/Name,” if this is the case please provide all other information and ignore the “Host/Name” in the Verify step.

After the first verification, our servers will periodically check your domain’s DNS records and update the status of your domain. It is important you keep the right verification code in your DNS and quickly fix any DNS issues that come up. After your domain is all set up, if we detect missing DNS records, such as the verify record, we will warn you for a week before disabling your domain and its addresses.

Add custom domain addresses

After this you will be asked what encryption strength you want to use for the keys that will be generated for your account. The default is High Security (2048-bit), and you can choose the Highest Security (4096-bit). When you choose the encryption level click on the Generate Keys button:

Choose the encryption for the added addresses

Generating the custom domain address keys

MX Record

The mail exchanger (MX) record is vital for email operation: it tells the Internet which server(s) should receive your domain’s email. If your domain is currently active and receiving email, we recommend you add all used email addresses before switching MX record to ProtonMail. This is to avoid disruption to your email delivery because ProtonMail will only accept mail for addresses that you have added.

MX record screen

The MX record to add is:

Modify the MX records on your domain

 

Mail.protonmail.ch points to ProtonMail’s mail servers, so once you have made this change, you are telling the Internet to send email for your domain to ProtonMail. If you have other MX records, you should either delete them or make sure mail.protonmail.ch‘s priority is a smaller number (higher priority) than the other MX records. This is because mail servers will try to send to the smallest priority one first and if it fails, try the next smallest.

Again, it may take up to a day for MX changes to propagate and email may still go to your old MX during this transition. Once we detect your domain’s top MX record is pointing to ProtonMail, the MX button in Settings -> Domains will turn green.

Now that you have finished all the required steps for custom domain setup, we can explore Anti-spoofing for Custom Domains (SPF, DKIM & DMARC). These are widely adopted methods that protect your email delivery and prevent email spoofing. Learn more here.

 

 

Rate This Article

(1 out of 3 people found this article helpful)
Post Comment

18 comments

  1. Frederic De Mees

    You say: make sure mail.protonmail.ch‘s priority is a smaller number (higher priority) than the other MX records
    This is not correct. Other MX *must* be removed, otherwise some deliveries will still occur to the backup MX. The backup MX will deliver mail to the old mailboxes or reject mail. Both options are bad.
    Some massmailings do not respect the priorities.
    In case of a network outage (ddos ?) targeting Protonmail all e-mail would also be misdirected instead of queued at the senders server.

  2. ProtonMail Support

    This may happen with some of the registrars. We recommend to have only ProtonMail MX record, but in case you leave the other record, ProtonMail must have the highest priority.

  3. David M

    Shouldn’t it be mail.protonmail.ch. (with a final dot) ?
    My registrar (gandi.net) requires it.

  4. JohnnyG

    is it possible to have a custom domain mirror another domain?
    for example: I want mydomain2.com to be a mirror of mydomain1.com
    or do I have to setup 2 domains separately?

  5. John Smith

    fantastic, wasn’t very easy to understand since I had to edit what looked like a simple txt file on a webpage. For those in the same situation, format should be :

    yourdomainname MX 10 protonmail.ch.
    protonmail._domainkey.yourdomainname 28800(not sure about the number but it showed this way) TXT “v=DKIM1; k=rsa; p=yourgeneratedkey”

    _dmarc.yourdomainname 28800 TXT “v=DMARC1; p=none; rua=mailto:yourmail

    Do not forget the ” “, normally it should warn you because of a wrong syntax.

  6. Francisco Abreu

    My registar only accepts MX records pointing to mail.protonmail.ch. (with a period in the end). I have included that but ProtonMail is not recognizing it. Please advise.

  7. ProtonMail Support

    Please contact us on contact@protonmail.ch or via the Report bug button.

  8. Michel

    Im unable to create a custom record for “@”. My ISP forces me to use my domain name followed by a dot. What should I do?

  9. ProtonMail Support

    You can use the domain name instead of @. For more information please contact us on contact@protonmail.ch or via the Report bug button.

  10. alex

    I get the following. My DNS allows TXT | Host | Content | blank text field |

    I enter in TXT | @ | copy paste | 10 (assuming TTL) |

    I get error

    Domain record name needs to end with the domain name string.

  11. ProtonMail Support

    Please contact us on contact@protonmail.ch or via the Report bug button.

  12. Anonymous

    Great, but how do I add the code to my DNS? This is prolly a very noob question, since clearly you assume that anyone doing this is well aware of how to do it… how about consider us who actually don’t.

  13. ProtonMail Support

    Can you please contact us at contact@protonmail.com if you are still experiencing this issue?

  14. Anonymous

    Some registrars use the BIND format for zone files in DNS thus requiring a “dot” at the end.

  15. ProtonMail Support

    Hi,
    Do you have trouble setting up your domain? If so, please contact us at contact@protonmail.com.

  16. Atheoz

    Sending to/from my email on my own domain works just fine, it’s just ProtonMail that says MX and SPF isn’t set up properly. Which is weird…

  17. ProtonMail Support

    Sorry to hear that. Can you please send all the details to contact@protonmail.com?

  18. stie

    Hi. The recommendation to set the TTL to 1 hour or less could lead to a potential security issue, in the event that one’s registrar account gets compromised, as it happened to someone using godaddy + paypal without him being at fault (see https://medium.com/@N/how-i-lost-my-50-000-twitter-username-24eb09e026dd#.e75z9ooq3): should it happen, he would have only one hour or less to react, which is not enough in some circumstances, as was the case with this example of things turning bad. Therefore, I would recommend to eventually set it TEMPORARILY to one hour or less during setup in order to speed it up and reset it afterwards to a safer – meaning larger – TTL value.

Leave A Comment?