This article covers the SPF and DKIM authentication processes for ProtonMail and how they are managed in Valimail Enforce. While only one of the two authentication methods is required for an email to pass DMARC, our recommendation is to configure both whenever possible.


Configuring DKIM authentication for your ProtonMail emails

1. In your browser, log in to your Proton Mail account and go to SettingsGo to settings OrganizationDomain namesActions columnReview button next to the domain you want to add a DKIM record for.

2. Select the DKIM tab. Here you will see the three host names and values that you will need to add to your domain’s DNS settings.

Important: If you manage DKIM in Valimail for your domain, you will need to add all the 3 CNAME DKIM keys on your domain's Configuration page in Valimail Enforce.

a screenshot of a computer

3. Once you have added these records, Proton Mail will handle the rest for you. Following current security best practices, we will generate a new 2048-bit key every six months and use it to sign your emails.

The CNAME records you add in Valimail Enforce must be an exact match with the ones shown in your setup wizard. Once we detect these records in your DNS, the DKIM tab will show a green tick icon. We will then notify you and start signing outgoing emails from your custom domain with DKIM, just like we do for other Proton Mail addresses.

You can also find the instructions on how to set up DKIM and SPF for ProtonMail, here.

Add a ProtonMail DKIM key in Enforce

1. Go to your domain's Configuration page in Valimail Enforce and publish the newly created DKIM key.

    a. Scroll down and add the two DKIM keys in your configuration, by clicking on Add a DKIM key

    b. Enter the selector name, CNAME target value, associate the key/s with ProtonMail and then click Add.

a screenshot of a computer

You can find more detailed information on how to add a DKIM key in Valimail Enforce here. 

Configuring SPF authentication for your ProtonMail emails

Once you establish that ProtonMail is an authorized sender for your domain, you will need to add the service in your Enabled Senders list in Enforce.

1. Please go to your domain's Configuration page in Enforce.

2. Click on the + sign from the Enabled Senders section:

a screenshot of a email

3. Choose ProtonMail from the list of configurable senders and then click Enable:

a screenshot of a computer

We encourage you to use the comment section for any useful information about your sending service, such as the name of the service owner, change request ticket numbers, etc.

As always, if you have any questions, please don't hesitate to submit a ticket.