MTA-STS and TLS-RPT for Proton Mail Custom Domains

1. # MTA-STS & TLS-RPT Setup for Proton Mail Custom Domainss
2. Proton Mail doesn't provide instructions for setting up MTA-STS and TLS-RPT, probably because it's likely to make migrations to other services difficult.
3.  
4. After setting it up you can verify MTA-STS and TLS-RPT with https://easydmarc.com/tools/mta-sts-check and https://easydmarc.com/tools/tls-rpt-check. You can also check your Cloudflare logs where you'll see daily lookups by e.g. Gmail.
5.  
6. ## Setting up MTA-STS
7. Doing it Cloudflare style:
8. 1. Create a Worker for the subdomain `mta-sts`.
9. 2. Use the following script:
10. ```
11. export default {
12. async fetch(request, env, ctx) {
13. return fetch('https://mta-sts.protonmail.ch/.well-known/mta-sts.txt');
14. },
15. };
16. ```
17. 3. Create a CNAME with the name `_mta-sts` pointing to `_mta-sts.protonmail.ch`.
18.  
19. ## Setting up TLS-RPT
20. Doing it the same way Proton does for their domains, e.g. `pm.me`.
21. It's unclear what Proton will do with the reports, if anything.
22.  
23. 1. Create a TXT record with the name `_smtp._tls`
24. 2. Enter the value `v=TLSRPTv1; rua=https://reports.proton.me/reports/smtptls`.