How to Set Up DMARC for Proton Mail: Custom Domain Configuration Guide

Proton Mail has built its reputation on privacy and security, making it a natural fit for users who care about protecting their email. If you use Proton Mail with a custom domain, setting up DMARC is the logical next step — it prevents others from spoofing your domain and gives you visibility into how your email is being authenticated across the internet.

This guide walks through DMARC configuration specifically for Proton Mail custom domain users, covering how SPF and DKIM alignment works with Proton's infrastructure and what you need to know to get it right.

How Proton Mail Handles Email Authentication

Proton Mail supports custom domains on paid plans, including Mail Plus, Proton Unlimited, and Proton for Business. When you add a custom domain to Proton Mail, the setup wizard walks you through configuring MX, SPF, DKIM, and DMARC records. Understanding how each of these works is important for getting DMARC alignment right.

SPF with Proton Mail

When you set up a custom domain, Proton provides an SPF record to publish in your DNS:

v=spf1 include:_spf.protonmail.ch ~all

This tells receiving mail servers that Proton's infrastructure is authorized to send email on behalf of your domain. You can build a complete SPF record that includes Proton and any other services at spfcreator.com.

However, there is an important nuance. Proton Mail does not use a custom Return-Path (envelope sender) for your domain by default. The Return-Path may still reference a Proton Mail address rather than your custom domain. Since SPF checks evaluate the Return-Path domain, this means SPF alignment with your From domain is not guaranteed.

DKIM with Proton Mail

Proton Mail generates three DKIM CNAME records for each custom domain:

protonmail._domainkey.yourdomain.com
protonmail2._domainkey.yourdomain.com
protonmail3._domainkey.yourdomain.com

Each CNAME points to Proton's DKIM key infrastructure. When you publish these records, Proton signs your outgoing messages with DKIM using your custom domain. Since the DKIM signing domain matches your From domain, DKIM alignment passes reliably.

DKIM is the primary path to DMARC compliance with Proton Mail. Because Proton does not set a custom Return-Path for your domain, you should rely on DKIM alignment rather than SPF alignment for DMARC to pass.

MX Records

Proton Mail requires you to point your domain's MX records to their mail servers. This ensures incoming email for your custom domain is routed to Proton's infrastructure. While MX records do not directly affect DMARC, they are a prerequisite for the entire custom domain setup.

Understanding DMARC Alignment with Proton Mail

DMARC requires that at least one of SPF or DKIM aligns with the domain in the visible From header. For a detailed comparison of how these protocols work together, see SPF vs DKIM vs DMARC.

With Proton Mail, the alignment picture looks like this:

DKIM alignment is strong and reliable. Proton signs messages with your domain, so the DKIM signature domain matches your From address. This works under both relaxed and strict alignment modes. DKIM also survives email forwarding, making it the more resilient mechanism.

SPF alignment is less dependable. Because Proton's default envelope sender may not match your custom domain, SPF can pass (the Proton include covers their sending IPs) without actually aligning to your From domain. Under relaxed alignment, this may still work if the Return-Path shares your root domain, but it is not something to count on.

For Proton Mail users, DKIM is your anchor for DMARC compliance. Make sure all three DKIM CNAME records are published and verified before moving to any enforcement policy.

Setting Up Your DMARC Record

Once your custom domain is configured in Proton Mail with SPF and DKIM verified, you are ready to add a DMARC record.

Verify your custom domain setup in Proton Mail

In Proton Mail, go to Settings > Go to Settings > Domain names. Select your domain and confirm that SPF, DKIM, and MX records all show as verified. If any are pending, check your DNS and wait for propagation before proceeding.

Generate your DMARC record

Start with a monitoring policy: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100;. This lets you collect aggregate reports and verify that your Proton Mail messages are passing DMARC before you enforce anything.

Add the DMARC record to your DNS

Log in to your DNS provider and create a new TXT record. Set the name to _dmarc (the full hostname will be _dmarc.yourdomain.com) and paste your DMARC record string as the value.

Save and wait for propagation

Save the record and allow time for DNS propagation. This typically takes a few minutes to a couple of hours depending on your DNS provider.

Verify the record

Check your published record at dmarcrecordchecker.com. Confirm the record is valid, shows your chosen policy, and includes your reporting address.

Create your DMARC record

Use our free DMARC generator to build a valid record for your domain.

Generate DMARC Record

Recommended DMARC Record for Proton Mail Users

For most Proton Mail custom domain users, start with this record:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; adkim=r; aspf=r; pct=100;

The adkim=r and aspf=r tags set relaxed alignment for both DKIM and SPF. While relaxed is the default, including these tags makes your configuration explicit and easier to audit later.

After monitoring with p=none for at least two weeks and confirming that all legitimate messages pass, begin tightening:

Soft enforcement: v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=25;

Full enforcement: v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; pct=100;

For a deeper look at how these policies differ, see our guide on DMARC policy levels.

Troubleshooting Proton Mail DMARC Failures

DKIM Alignment Failing

If DMARC reports show DKIM failures for messages sent through Proton Mail:

Verify all three DKIM CNAME records are published. Proton requires three separate CNAME records. Missing even one can cause intermittent DKIM failures. Check your DNS for protonmail._domainkey, protonmail2._domainkey, and protonmail3._domainkey. You can verify your DKIM configuration at dkimcreator.com.
Check for DNS propagation issues. If you recently added or changed the CNAME records, allow up to 48 hours for full propagation.
Confirm the From address matches your verified domain. If you send from an address on a domain that is not configured in Proton Mail, DKIM alignment will fail.

SPF Passing but Not Aligning

This is common with Proton Mail and is expected behavior. SPF may pass because Proton's sending IPs are covered by the _spf.protonmail.ch include, but alignment fails because the Return-Path domain does not match your From domain. This is why DKIM alignment is essential — it compensates for the SPF alignment gap.

Multiple Sending Services

If you use Proton Mail alongside other email services — a marketing platform, a helpdesk, or transactional email — each service needs its own authentication configured. Your SPF record must include all authorized senders, and each should have DKIM set up for your domain. If you manage your own mail infrastructure as well, see our guide on DMARC for self-hosted email.

Do not move to p=reject until every legitimate sending source passes DMARC. Review your aggregate reports carefully. One misconfigured service can cause important emails to be rejected outright.

Proton Mail Best Practices for DMARC

Complete the full domain setup before adding DMARC. Proton's domain configuration wizard handles MX, SPF, and DKIM in sequence. Finish all steps and verify each one before publishing your DMARC record. Skipping ahead can lead to false failures in your reports.

Rely on DKIM as your primary alignment mechanism. Given Proton's envelope sender behavior, DKIM is the consistent path to DMARC compliance. Ensure those three CNAME records stay in your DNS through any future migrations or provider changes.

Leverage Proton's privacy-first approach. Proton Mail's commitment to privacy and encryption aligns naturally with DMARC's security goals. By adding DMARC to your domain, you are extending that same commitment to protecting your recipients from spoofed messages that impersonate your identity.

Review reports regularly. DMARC aggregate reports reveal every source sending email as your domain. For privacy-conscious users, this visibility is invaluable — it shows exactly who is using your domain to send mail, whether authorized or not.

Complete your authentication stack

DMARC works alongside SPF and DKIM. Build a comprehensive SPF record at spfcreator.com that includes Proton Mail and any other senders. Verify your DKIM configuration at dkimcreator.com to ensure all signing records are correct.

Monitor Your DMARC Record

You've created your DMARC record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.

Never miss a DMARC issue

Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.

Start Monitoring