proton.me

Authentication

DNSSEC

DNSSEC provides a way to ensure that the DNS answers a client is receiving from a DNS resolver are correct and have not been tampered with. DNSSEC must be configured at the domain's registrar and nameservers.

Learn more about DNSSEC.

DNSSEC is enabled on this domain.

SPF

Sender Policy Framework (SPF) authenticates email by checking the sending email server IP address against a list of domains provided by the SPF record of the envelope from domain. The SPF record can include other records, with up to 10 DNS lookups.

Learn more about SPF.

This domain has a valid SPF record.

Record: v=spf1 include:_spf.protonmail.ch ~all
all: softfail

DNS Lookups

DNS lookups used: 2/10
Void lookups: 0/2

SPF mechanisms that require DNS lookups
Mechanism	Lookups
include:_spf.protonmail.ch	2

DMARC

Domain-based Message Authentication, Reporting, and Conformance (DMARC) ensures that the SPF and DKIM authentication mechanisms actually authenticate against the same base domain that the end user sees.

Learn more about DMARC.

This domain has a quarantine DMARC policy.

Record: v=DMARC1; p=quarantine; fo=1; aspf=s; adkim=s;
Location: proton.me

DMARC record tag values
Tag	Value
p	quarantine
fo	1
aspf	s
adkim	s

BIMI

Brand Indicators for Message Identification (BIMI) is an emerging email specification that allows brand images such as logos to appear in the inbox and/or next to the from address in supporting mailbox providers.

Learn more about BIMI.

The domain owner has explicitly declined BIMI participation.

Record: v=BIMI1; l=; a=;
Location: proton.me

BIMI record tag values
Tag	Value
l
a

Email Infrastructure

Mail servers

Preference	10
Hostname	mail.protonmail.ch
Addresses	176.119.200.128 185.205.70.128 185.70.42.128
DNSSEC	True
TLSA	True

Certificates are pinned using DANE.

Preference	20
Hostname	mailsec.protonmail.ch
Addresses	176.119.200.129 185.205.70.129 185.70.42.129
DNSSEC	True
TLSA	True

Certificates are pinned using DANE.

MTA-STS

SMTP MTA Strict Transport Security (MTA-STS) provides a way for domain owners to tell email services that they should only send email to the domain over a verified TLS connection to specific email servers. This prevents man-in-the-middle attacks when the sending email server supports it.

Learn more about MTA-STS.

This domain has an enforce MTA-STS policy.

MTA-STS configuration
id	190906205100Z
mode	enforce
max age	604800
mx	mail.protonmail.ch mailsec.protonmail.ch

TLSRPT

SMTP TLS Reporting (TLSRPT) is a mechanism for sending email servers to provide statistics to domain owners about failures to establish TLS connections for SMTP. This allows domain owners to proactively identify TLS misconfigurations and man-in-the-middle attacks.

Learn more about TLSRPT.

This domain has a valid TLSRPT record.

SMTP TLS reporting tags
Tag	Value
rua	https://reports.proton.me/reports/smtptls

DNS Infrastructure

SOA

Record: ns1.proton.me. support.proton.me. 2025101827 1200 144 1814400 7200

SOA record values
Primary nameserver	ns1.proton.me
Rname email address	[email protected]
Serial	2025101827
Refresh	1200
Retry	144
Expire	1814400
Minimum	7200

Nameservers

ns1.proton.me
ns2.proton.me
ns3.proton.me