DNS & Email Security Report for proton.me

An automated analysis of proton.me's DNS configuration, email authentication (SPF, DKIM, DMARC), DNSSEC chain, IPv6 readiness, and transport security. Last analyzed June 10, 2026.

C70/100
Average

Adequate security, improvements recommended

Overall security score: 70/100 · Grade C (Average)

This report is a cached snapshot

DNS changes frequently. Run a fresh, interactive scan of proton.me for live records, propagation, and deep checks.

Run a fresh live scan

Detailed check results

DNS

73%warning
  • A record presentcritical

    1 A record(s) found

  • AAAA record presentrecommended

    No AAAA records

  • MX records presentrecommended

    2 MX record(s) found

  • NS records presentcritical

    3 NS record(s) found

  • SOA record presentcritical

    SOA record found

  • Multiple nameserversrecommended

    3 nameservers configured ✓

  • SOA serial formatinfo

    Serial 2026042706 (YYYYMMDDnn format)

  • SOA timers validinfo

    Refresh: 1200s ✓, Retry: 144s ✗, Expire: 1814400s ✓. Retry should be 180-7200s (3min-2h)

  • No lame nameserversinfo

    3 NS all responding ✓

  • Glue records presentinfo

    3 glue record(s)

  • WWW record configuredinfo

    A record matches apex

  • MX servers have PTR recordsinfo

    6 MX IPs all have PTR records ✓

  • MX servers have FCrDNSinfo

    6 MX IPs have forward-confirmed reverse DNS ✓

DNSSEC

100%pass
  • DNSSEC signedrecommended

    DNSSEC is enabled ✓

  • DNSSEC validation OKcritical

    DNSSEC validates correctly ✓

  • NSEC3 RFC 9276 compliantrecommended

    NSEC3 iterations=0, salt=empty — RFC 9276 compliant ✓

  • RRSIG signatures validrecommended

    RRSIG signatures valid, earliest expiry in 28 days ✓

  • Modern DNSSEC algorithmoptional

    RSA/SHA-256 (algorithm 8) — acceptable ✓

  • DS digest algorithm modernrecommended

    DS digest: SHA-256 — modern ✓

  • DNSKEY algorithm secureoptional

    DNSKEY: RSA/SHA-256 — acceptable, consider ECDSA (13) or Ed25519 (15)

  • RRSIG TTL saferecommended

    Record TTLs do not exceed RRSIG validity periods ✓

  • Chain of trust completecritical

    Complete chain: DNSKEY + DS + RRSIG ✓

IPv6

0%fail
  • Website reachable via IPv6recommended

    No IPv6 for website. Add AAAA record pointing to your IPv6 address

  • Mail servers reachable via IPv6recommended

    0/2 MX servers have IPv6. Add AAAA records for your mail servers

  • Nameservers reachable via IPv6recommended

    0/3 NS servers have IPv6. Contact your DNS provider about IPv6 support

Email security

73%warning
  • SPF record presentcritical

    v=spf1 include:_spf.protonmail.ch ~all

  • SPF syntax validcritical

    SPF syntax is correct ✓

  • SPF policy strict (-all)recommended

    SPF uses ~all or ?all. Change to -all for strict enforcement

  • DKIM foundrecommended

    No DKIM found. Configure DKIM signing with your email provider

  • DMARC record presentrecommended

    v=DMARC1; p=quarantine; fo=1; aspf=s; adkim=s;

  • DMARC policy quarantine or betterrecommended

    DMARC policy: quarantine ✓

  • DMARC policy rejectoptional

    DMARC policy: quarantine. Set p=reject for maximum protection

  • BIMI record presentoptional

    BIMI logo: undefined

  • BIMI configuration validoptional

    BIMI configuration invalid. Check logo URL and VMC/CMC certificate

  • MTA-STS record presentoptional

    MTA-STS configured ✓

  • MTA-STS policy enforcedoptional

    MTA-STS mode: enforce ✓

  • MX records validcritical

    2 MX record(s) ✓

  • MX domains use DNSSECrecommended

    1/1 MX domain(s) use DNSSEC ✓

  • MX DNSSEC validation OKrecommended

    MX DNSSEC validates correctly ✓

  • Mail servers not blacklistedcritical

    1 MX server(s) checked against 16 blacklists - clean ✓

  • No critical blacklist listingscritical

    No blacklist listings ✓

Web security

91%pass
  • CAA records presentrecommended

    2 CAA record(s) ✓

  • CAA policy strictoptional

    CAA limits certificate authorities ✓

  • TLSA records (DANE)optional

    4 DANE record(s) - configured according to best practices

  • DANE configuration validoptional

    DANE records meet best practices ✓

  • No sensitive info in TXTcritical

    No sensitive data leaked ✓

  • Verification records reviewedinfo

    3 verification record(s): Google, Zoom, Yandex. Consider if all are still needed

  • HTTPS availablecritical

    HTTPS working (status 200) ✓

  • Valid certificatecritical

    Certificate chain is valid and trusted ✓

  • HTTP redirects to HTTPScritical

    HTTP automatically redirects to HTTPS ✓

  • HSTS enabledrecommended

    HSTS enabled (max-age=31536000, includeSubDomains, preload) ✓

  • HSTS max-age >= 1 yearoptional

    max-age=31536000 (≥1 year) ✓

  • X-Frame-Options headerrecommended

    No X-Frame-Options header. Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking

  • X-Content-Type-Options headerrecommended

    X-Content-Type-Options: nosniff ✓

  • Content-Security-Policy headerrecommended

    Content-Security-Policy configured ✓

  • Referrer-Policy headerrecommended

    Referrer-Policy: strict-origin-when-cross-origin ✓

  • security.txt presentoptional

    Contact: mailto:[email protected]

  • security.txt validoptional

    security.txt has required Contact and Expires fields ✓

  • HTTP/3 (QUIC) supportedoptional

    No HTTP/3 support detected No h3 in Alt-Svc header No HTTPS DNS record (type 65) QUIC probe inconclusive (Inconclusive - no QUIC reply (trigger may be dropped or UDP/443 filtered)) — not a negative signal

  • QUIC UDP reachableinfo

    QUIC probe inconclusive (no reply — trigger may be dropped or UDP/443 filtered). Not a negative signal; h3 is judged from Alt-Svc / HTTPS record

  • HTTPS DNS record (SVCB)optional

    No HTTPS DNS record (type 65). Add HTTPS record for faster HTTP/3 discovery: proton.me IN HTTPS 1 . alpn="h3,h2"

Issues found (4)

No IPv6 (AAAA) records

Your domain is not reachable via IPv6. IPv6 is becoming increasingly important

Learn more

Mail servers have no IPv6

Your mail servers are not reachable via IPv6

Learn more

DKIM not found

DKIM helps verify your outgoing email

Learn more

No HTTP/3 (QUIC) support

HTTP/3 uses QUIC for faster, more resilient connections. Enable it on your web server and open UDP/443 in your firewall

Learn more

Recommendations (4)

Implement DKIM

Configure DKIM signing with your email provider and publish the DKIM public key in DNS.

Impact: Improves email deliverability and prevents spoofing

Add IPv6 support

Request AAAA records from your hosting provider for your website. IPv6 is becoming increasingly important.

Impact: Makes your website accessible to IPv6-only networks

IPv6 for mail servers

Add AAAA records for your MX servers to support email via IPv6.

Impact: Improves email reachability for IPv6 networks

Enable HTTP/3 (QUIC)

Enable HTTP/3 for faster page loads and improved connection resilience. Nginx: add "listen 443 quic reuseport;" and "add_header Alt-Svc 'h3=":443"; ma=86400'". Caddy: HTTP/3 is enabled by default. Cloudflare: Enable under Speed → Protocol Optimization. Also add an HTTPS DNS record: example.com IN HTTPS 1 . alpn="h3,h2" Ensure UDP port 443 is open in your firewall (QUIC uses UDP, not TCP).

Impact: Faster page loads (0-RTT), better mobile performance, and connection migration between networks

About this report

IntoDNS.AI evaluates proton.me against DNS hygiene, email authentication, and transport-security best practices, scoring each check and rolling them up into an overall grade. Results reflect public DNS as observed on June 10, 2026 and may differ from a live scan if the domain has since changed its configuration.

Want to check your own domain? Scan any domain on the homepage.

Last analyzed: June 10, 2026 · Google Public DNS