While there are great benefits to email’s open and decentralized nature, this freedom also makes email easy to abuse. For example, any server connected to the internet can send an email to your friend pretending to be from you, an attack known as email spoofing.
We strongly recommend that everyone who uses a custom domain with Proton Mail set up SPF, DKIM, and DMARC to ensure your emails are properly delivered.
Read on to see how we can protect your custom domain from these kinds of attacks.
The Sender Policy Framework (SPF) record basically tells the world which hosts or IPs are allowed to send email for your domain. When email servers receive an email that claims to be from your domain, they can look up your SPF record to see if the sending server is included.
While not required, we strongly recommend that you set up an SPF record that includes Proton Mail.
This will not only make your email seem more legitimate and thus less likely to be sent to spam folders, but it will also help protect your domain from attackers who send emails with forged headers pretending to be from you.
In your browser, log in to your Proton Mail account and go to Settings → All settings → Organization → Domain names → Actions column → Review button next to the domain you want to add an SPF record for.
Select the SPF tab. This shows the recommended SPF record to add to your registrar’s domain management portal. You can click on the small icon to the left of the entry to Copy it to your system’s clipboard.
The “include:_spf.protonmail.ch” part of the text string means that you allow Proton Mail servers to send on behalf of your domain. If you want to keep an existing SPF record, simply add the “include:_spf.protonmail.ch” text string to it right of your existing record, after the “v=spf1”. The “mx” also includes your domain’s MX records.
The “~all” part means that if the email is sent from any servers not included in the text string, it will be treated as a SoftFail. This means that the receiving mail server will accept the email delivery but will mark it as SPF failed. The alternative is to use the “-all” (HardFail) parameter.
This will cause the email to be rejected, which can cause delivery problems for legitimate emails. For example, SPF often fails during email forwarding, where you send to address A, which automatically forwards to address B. Once we detect your domain’s SPF record includes Proton Mail, the SPF tab will show a green tick icon.
Domain Keys Identified Mail (DKIM) is a method of email authentication that cryptographically verifies if an email was sent by trusted servers and has not been tampered with.
Basically, when a server sends an email using your domain, it will calculate an encrypted hash of the email contents using a private key (that only trusted servers know) and add it to the email headers as a DKIM signature.
The receiving server will verify the email contents by looking up the corresponding public key in your domain’s DNS records, decrypting the encrypted hash, and calculating a new hash based on the email contents it received. It then compares the decrypted hash to the new hash. If there is a match, then the email has not been tampered with, and so DKIM passes. Otherwise, DKIM fails, and the email is treated with suspicion.
Learn more about DKIM management(new window)
We use CNAME records to manage automatic DKIM key rotation, which is an accepted security best practice. We ask you to add and keep three CNAME records. This ensures there is always an active key used to provide an uninterrupted service while the other keys are automatically retired and recreated on a regular basis for improved security.