Proton Mail Business authentication requires SPF (include:_spf.protonmail.ch), DKIM (three CNAME records generated in the Proton admin panel), and DMARC. Proton generates domain-specific DKIM CNAME values during custom domain setup. Proton also supports MTA-STS. All authentication configuration is done through DNS records — Proton handles the signing and alignment automatically.
Email Authentication for ProtonMail Business: Complete Setup
SPF Setup
Add this TXT record:
Type: TXT
Host: @
Value: v=spf1 include:_spf.protonmail.ch ~all
If you send email through other services alongside Proton:
v=spf1 include:_spf.protonmail.ch include:sendgrid.net ~all
DKIM Setup
Proton generates three DKIM CNAME records specific to your domain during custom domain setup:
- Go to Proton Admin → Organization → Domain
- In the DKIM section, Proton displays three CNAME records
Typical format:
Type: CNAME
Host: protonmail._domainkey
Value: protonmail.domainkey.<hash>.domains.proton.ch
Type: CNAME
Host: protonmail2._domainkey
Value: protonmail2.domainkey.<hash>.domains.proton.ch
Type: CNAME
Host: protonmail3._domainkey
Value: protonmail3.domainkey.<hash>.domains.proton.ch
The exact values are unique to your domain — copy them from the admin panel. Like Fastmail, the CNAME approach means Proton handles key rotation without DNS changes.
Practitioner note: Proton's domain verification wizard walks you through every record. It's one of the better setup experiences among email providers. The main issue I see is people adding only one or two of the three DKIM CNAMEs — add all three.
DMARC Setup
Once SPF and DKIM are verified:
Type: TXT
Host: _dmarc
Value: v=DMARC1; p=none; rua=mailto:[email protected]
Follow the DMARC advancement timeline. Proton's authentication aligns properly under default relaxed alignment.
MTA-STS
Proton Mail supports TLS. You can publish an MTA-STS policy:
version: STSv1
mode: enforce
mx: mail.protonmail.ch
mx: mailsec.protonmail.ch
max_age: 604800
Check your current MX records — Proton may assign specific MX hosts for your domain. List them all in the policy.
Verification
Proton's admin panel shows verification status for each DNS record with green checkmarks. Additionally:
- Send a test email to an external address
- View the email headers
- Confirm
spf=pass,dkim=pass, anddmarc=pass
Practitioner note: Proton Mail users often care more about security than average. If that's you, push all the way to DMARC p=reject and add MTA-STS in enforce mode. Proton already encrypts at rest — locking down authentication and transport completes the picture.
Proton Mail vs ProtonMail
The service rebranded from "ProtonMail" to "Proton Mail" in 2022. DNS records still use the protonmail.ch domain. Don't be confused if documentation uses different naming — the technical setup is the same.
For help setting up Proton Mail Business with complete authentication for your organization, schedule a consultation.
Sources
- Proton: Custom Domain Setup
- Proton: SPF Records
- Proton: DKIM Setup
v1.0 · April 2026
Frequently Asked Questions
What SPF record does Proton Mail need?
Add v=spf1 include:_spf.protonmail.ch ~all as a TXT record. This covers all Proton Mail sending infrastructure.
How do I set up DKIM for Proton Mail?
In the Proton admin panel under custom domains, Proton generates three CNAME records (protonmail._domainkey, protonmail2._domainkey, protonmail3._domainkey). Add all three to your DNS and verify in the admin panel.
Does Proton Mail encrypt and authenticate email?
Yes. Proton provides end-to-end encryption for Proton-to-Proton email and standard TLS encryption for external email. SPF, DKIM, and DMARC authentication works independently of Proton's encryption features.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.