How does ProtonMail treat authentication failures?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

If your emails are reaching most inboxes fine but bouncing or disappearing for ProtonMail users specifically, authentication is almost certainly the reason. ProtonMail attracts users who chose it precisely because it's security-focused. That means it enforces email authentication more strictly than most consumer providers, and it's not shy about rejecting mail that doesn't pass.

Here's what ProtonMail actually checks and how it responds to failures:

  • SPF failures: A hard fail (~all softfail vs -all hardfail in your SPF record) often gets mail blocked outright. ProtonMail doesn't treat softfails as generously as Gmail might. If your sending IP isn't listed in your SPF record, expect rejection.
  • DKIM failures: Missing or invalid DKIM signatures can push messages straight to spam or cause outright rejection. ProtonMail places real weight on DKIM because it cryptographically proves the message hasn't been tampered with in transit.
  • DMARC failures: If your DMARC policy is set to p=reject or p=quarantine and your message fails alignment, ProtonMail will honor that policy strictly. Even p=none won't save you if SPF and DKIM are both broken.

The tricky part is alignment. SPF passing alone isn't enough if the domain in your From: header doesn't align with the domain in your SPF or DKIM records. This trips up senders using a subdomain or a third-party ESP that sends from a different domain. A mismatch there fails DMARC alignment, and ProtonMail will act on it.

One scenario that catches people off guard: you send via an ESP, your SPF covers the ESP's sending domain, but your From: address is your own domain. If DKIM isn't signing with your domain too, alignment fails. (This is why DKIM alignment matters more than SPF alignment for most senders using an ESP.)

The practical fix is straightforward. Make sure all three are in place: SPF covering every IP you send from, DKIM signed with your sending domain, and a DMARC record with at least p=none to start. Then confirm alignment by sending a test to an actual ProtonMail address and checking the message headers. Look for dmarc=pass in the authentication results. If it says dmarc=fail even with SPF and DKIM passing individually, you have an alignment problem.

You can verify your SPF record right now with our free SPF checker, and check how your DMARC record reads with the DMARC generator. If you're still stuck after that, the SOS hotline is free and we'll walk through the headers with you.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Paste your setup details above and get a ranked list of what to fix first.

I'm sending emails that work fine for Gmail and Outlook users but seem to fail for ProtonMail recipients. Based on what I know about ProtonMail's strict authentication enforcement, can you help me figure out which of SPF, DKIM, or DMARC alignment is most likely causing the issue? My ESP is name your ESP, my From domain is your domain, and here's what my current authentication setup looks like: paste SPF record, DKIM selector, DMARC policy. What should I check first, and is there anything ProtonMail-specific I'm missing?

Edit the yellow boxes, then send to the AI of your choice.