DKIM for Proton Mail: Custom Domain Setup Guide
How to set up DKIM for Proton Mail with a custom domain. Step-by-step guide covering DKIM key configuration, DNS records, and verification.
Last updated: 2026-04-21
This guide is part of our Email Providers series.
If you use Proton Mail with a custom domain, setting up DKIM is one of the most important things you can do for email deliverability. Without it, emails sent from your domain are more likely to end up in spam folders or get rejected entirely by providers like Gmail and Outlook.
The good news: Proton Mail handles most of the heavy lifting. You just need to add a few DNS records and verify them. This guide walks you through the entire process.
Why DKIM Matters for Your Custom Domain
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every email you send. Receiving mail servers use that signature to confirm the message actually came from your domain and wasn't tampered with in transit.
Without DKIM enabled on your Proton Mail custom domain, you risk:
- Emails landing in recipients' spam folders
- Messages being silently rejected by major providers
- Failing DMARC policy checks if you have a DMARC record
- Clients and contacts questioning whether your emails are legitimate
Proton Mail generates DKIM keys automatically when you add a custom domain. Unlike self-hosted setups, you don't need to create your own key pair - Proton manages signing for you once the DNS records are in place.
What You Need Before You Start
Before configuring DKIM, make sure you have:
- A paid Proton Mail plan (Mail Plus, Proton Unlimited, or Business) - custom domains aren't available on the free plan
- Access to your domain's DNS settings through your domain registrar or DNS provider (e.g., Cloudflare, Namecheap, GoDaddy)
- Your custom domain already added in Proton Mail (or ready to add)
Setting Up DKIM for Proton Mail
Open custom domain settings in Proton Mail
Log in to your Proton Mail account and navigate to Settings > All settings > Proton Mail > Custom domains. If you haven't added your domain yet, click Add domain and enter your domain name. Proton will walk you through domain verification first.
Locate the DKIM records
Once your domain is added and verified, Proton displays three CNAME records for DKIM. These use the selectors protonmail, protonmail2, and protonmail3. Each record has a Host/Name value and a Value/Target value you'll need to copy.
Add the CNAME records to your DNS
Log in to your DNS provider and create three new CNAME records. For each one, paste the Host and Value exactly as Proton provides them. Be careful with trailing dots and formatting - different DNS providers handle these slightly differently.
Wait for DNS propagation
DNS changes can take anywhere from a few minutes to 48 hours to propagate, though most updates are visible within an hour or two. You can check propagation status using a DNS lookup tool.
Verify in Proton Mail
Return to the custom domain setup wizard in Proton Mail and click the verify or check button for DKIM. Once Proton confirms all three records are detected, DKIM signing is automatically enabled for your domain.
Need to verify your DKIM setup?
Use DKIM Creator to look up and validate the DKIM records on your domain after configuration.
Understanding Proton Mail's DKIM Records
Proton Mail uses a setup that differs from most other email providers. Here's what makes it distinct:
| Detail | Proton Mail DKIM |
|---|---|
| Record type | CNAME (not TXT) |
| Number of records | 3 records required |
| Selectors | `protonmail`, `protonmail2`, `protonmail3` |
| Key management | Fully managed by Proton |
| Key rotation | Handled automatically via CNAME |
| Signing | Automatic once DNS is verified |
The reason Proton uses CNAME records instead of TXT records is key rotation. With CNAME records pointing to Proton's servers, Proton can rotate your DKIM keys automatically without you ever needing to update your DNS again. Three selectors provide redundancy - if one key is being rotated, the others continue signing your mail.
Common Issues and How to Fix Them
DKIM verification fails in Proton Mail
The most common cause is incorrect DNS formatting. Some DNS providers automatically append your domain to the host field. If Proton gives you protonmail._domainkey.yourdomain.com, you may only need to enter protonmail._domainkey as the host - your DNS provider adds the domain portion. Check your provider's documentation or look at how existing records are displayed.
Records added but Proton still shows "Pending"
DNS propagation takes time. Wait at least one to two hours before troubleshooting. If records still aren't detected after 24 hours, double-check that you created CNAME records (not TXT records) and that the values match exactly what Proton provided.
DKIM passing for Proton but failing for other senders
If you also send email through other services (marketing tools, CRM systems, transactional email providers), each service needs its own DKIM configuration. Proton's DKIM records only cover mail sent through Proton Mail itself.
Don't delete or modify the Proton DKIM CNAME records after setup. Removing them will break DKIM signing for all emails sent through Proton Mail on your custom domain.
Completing Your Email Authentication
DKIM is one piece of a three-part email authentication system. For the best deliverability with your Proton Mail custom domain, you should also configure:
- SPF (Sender Policy Framework) - Proton provides an SPF TXT record during domain setup. This tells receiving servers which mail servers are authorized to send on behalf of your domain.
- DMARC (Domain-based Message Authentication, Reporting & Conformance) - A DMARC record ties SPF and DKIM together with a policy that tells receivers what to do when checks fail. Start with a monitoring policy (
p=none) and tighten it over time.
Proton Mail's domain setup wizard guides you through all three. Complete each step for the strongest possible email authentication.
Verifying Everything Works
After Proton confirms your DKIM records, send a test email to a Gmail or Outlook address. Open the message, then:
- In Gmail: Click the three dots menu > "Show original" and look for
dkim=pass - In Outlook: View the message headers and search for
dkim=pass
If you see dkim=pass alongside the Proton selector, your setup is working correctly.
Related Articles
References
- RFC 6376 — DomainKeys Identified Mail (DKIM) Signatures
- Proton Mail official documentation — Custom domain DKIM configuration
Using Proton Mail with a custom domain? Make sure your DKIM records are properly configured so every message reaches the inbox.
Verify your Proton Mail DKIM setup
Look up your domain's DKIM records to confirm everything is configured correctly.
Check DKIM Records