Proton Mail + Cloudflare DNS
Mail routing and authentication (MX/SPF/DKIM/DMARC) in Cloudflare authoritative DNS for mtinfrasolutions.com.
Status: Draft
Scope / Objective
- Scope: Cloudflare DNS records required by Proton Mail for a custom domain.
- Objective: Ensure inbound/outbound mail works and authentication passes: SPF, DKIM, DMARC.
- Non-goals: Mailbox provisioning and client configuration inside Proton; website hosting changes.
Dependencies / Preconditions
- Cloudflare zone:
mtinfrasolutions.comactive - Proton Mail domain setup initiated and provides verification/auth records
- Permissions to edit Cloudflare DNS records
Change plan
- Capture pre-change DNS state (Cloudflare UI + DoH JSON).
- Apply Proton Mail records in Cloudflare DNS (TXT/MX/CNAME).
- Validate external resolution and mail flow; confirm SPF/DKIM/DMARC via headers.
- Capture evidence pack and hashes; document final state.
Implementation steps
1) Create/verify required DNS records (Cloudflare → DNS → Records)
Current known record set (example; keep values exact):
- TXT
@:protonmail-verification=9fdaae1801cf7eacf099ac4ce2c40ec188d5bc43 - TXT
@:v=spf1 include:_spf.protonmail.ch ~all - MX
@:mail.protonmail.ch(priority 10) - MX
@:mailsec.protonmail.ch(priority 20) - CNAME
protonmail._domainkey→protonmail.domainkey.doh6uihhddl23jwdrsmbij47dx7khyzej6e3bmu7ydx46p3q46g6q.domains.proton.ch - CNAME
protonmail2._domainkey→protonmail2.domainkey.doh6uihhddl23jwdrsmbij47dx7khyzej6e3bmu7ydx46p3q46g6q.domains.proton.ch - CNAME
protonmail3._domainkey→protonmail3.domainkey.doh6uihhddl23jwdrsmbij47dx7khyzej6e3bmu7ydx46p3q46g6q.domains.proton.ch - TXT
_dmarc:v=DMARC1; p=quarantine
All mail records should be DNS only (not proxied).
2) Cloudflare UI verification
- Open Cloudflare zone
mtinfrasolutions.com→ DNS → Records. - Confirm the Proton records exist exactly as provided.
- Confirm there are no duplicate/conflicting SPF TXT records at
@.
3) Optional: DMARC policy posture
Current DMARC policy is p=quarantine. Consider aligning long-term policy to organizational risk tolerance and reporting requirements (e.g., add rua= reporting address).
Validation (with exact commands)
A) DoH DNS checks (PowerShell)
$domain = "mtinfrasolutions.com"
$BasePath = "$env:USERPROFILE\Documents\MTINFRA-EvidencePack"
# SPF TXT
$spf = Invoke-RestMethod -Uri ("https://cloudflare-dns.com/dns-query?name=$domain&type=TXT") -Headers @{ accept="application/dns-json" }
$spf | ConvertTo-Json -Depth 10 | Out-File (Join-Path $BasePath "EV-MAIL-10-TXT-Apex-DoH.json") -Encoding utf8
# MX
$mx = Invoke-RestMethod -Uri ("https://cloudflare-dns.com/dns-query?name=$domain&type=MX") -Headers @{ accept="application/dns-json" }
$mx | ConvertTo-Json -Depth 10 | Out-File (Join-Path $BasePath "EV-MAIL-11-MX-DoH.json") -Encoding utf8
# DMARC
$dmarc = Invoke-RestMethod -Uri ("https://cloudflare-dns.com/dns-query?name=_dmarc.$domain&type=TXT") -Headers @{ accept="application/dns-json" }
$dmarc | ConvertTo-Json -Depth 10 | Out-File (Join-Path $BasePath "EV-MAIL-12-DMARC-DoH.json") -Encoding utf8
# DKIM selectors
$dk1 = Invoke-RestMethod -Uri ("https://cloudflare-dns.com/dns-query?name=protonmail._domainkey.$domain&type=CNAME") -Headers @{ accept="application/dns-json" }
$dk1 | ConvertTo-Json -Depth 10 | Out-File (Join-Path $BasePath "EV-MAIL-13-DKIM1-DoH.json") -Encoding utf8
B) Mail flow + header authentication
- Send a test email from an external mailbox to
<your-proton-recipient>@mtinfrasolutions.com. - In Proton Mail, open message → view full headers/original.
- Confirm
Authentication-Resultsindicates:- SPF: pass
- DKIM: pass
- DMARC: pass/aligned
- Save headers to a TXT file.
Rollback plan
- Remove newly added Proton-related DNS records (only those introduced by the change).
- Restore previous values from evidence pack (pre-change JSON/Cloudflare export).
- Revalidate mail flow and authentication.
Evidence pack checklist
| Evidence ID | Artifact | What it proves |
|---|---|---|
| EV-CF-05 | EV-CF-05-DNS-WebRecords.png | DNS records exist; mail records intact (UI proof) |
| EV-MAIL-10 | EV-MAIL-10-TXT-Apex-DoH.json | TXT values externally visible |
| EV-MAIL-11 | EV-MAIL-11-MX-DoH.json | MX routing externally visible |
| EV-MAIL-12 | EV-MAIL-12-DMARC-DoH.json | DMARC policy externally visible |
| EV-MAIL-13 | EV-MAIL-13-DKIM1-DoH.json | DKIM selector resolves correctly |
| EV-MAIL-01 | EV-MAIL-01-Headers-AuthResults.txt | SPF/DKIM/DMARC pass in real mail flow |
Final state
- Proton Mail MX, SPF, DKIM, DMARC records present and externally resolvable
- Mail flow validated via headers (SPF/DKIM/DMARC pass/aligned)
- Records are DNS-only (not proxied)