How to manage Proton Mail’s encryption for custom domain addresses

2 mins
Addresses and identities
Proton Mail

Proton Mail encrypts all emails sent between Proton accounts with end-to-end encryption (E2EE) and all emails that arrive from an external email service with zero-access encryption by default.

If you’ve added a custom domain (e.g. to your Proton Mail account, you may want to route certain domain emails to another mail server for specific purposes, such as compliance or CRM integration. To do this, you may have set a different mail server as your primary MX record. This worked in the past, but will no longer work after a security update that will go into effect on August 15, 2023.

Going forward, Proton Mail will always deliver emails from other Proton Mail users directly to your Proton-hosted addresses, regardless of your domain’s MX records. This ensures that the emails between Proton Mail users remain secure with E2EE.

However, if you still want to route emails according to your domain’s MX records for certain addresses, you’ll need to disable E2EE for those addresses in Proton Mail. This will create an exception and allow email from Proton Mail accounts to be routed to the external mail server specified in your primary MX record.

Proton requires you to manually create this exception to ensure that all internal traffic is end-to-end encrypted unless explicitly specified by the address owner.

Note that even if you disable E2EE for a given address, all messages delivered to it will still be protected by Proton Mail’s zero-access encryption.

Unless you have a specific reason to do so, we do not recommend turning off Proton Mail’s end-to-end encryption. 

How to adjust your encryption settings

 This option will only be visible if your domain’s MX records do not point to Proton Mail.

  1. Go to and log in using your Proton Account username and password. 
  2. Click Settings → All settings Identity and addresses.
  3. Scroll down until you see the My addresses section.
  1. Find the email address(es) for which you want to turn off end-to-end encryption and click the dropdown menu under the Actions column. Select Disable E2EE mail. If this email address is your designated catch-all address, all emails routed to the catch-all will be affected.
  1. You can also turn E2EE back on any time by going to the same drop menu and selecting Enable E2EE mail.

Didn’t find what you were looking for?