diff --git a/nix/deploy/smoke-tests.sh b/nix/deploy/smoke-tests.sh
index 5054a61..84107f9 100755
--- a/nix/deploy/smoke-tests.sh
+++ b/nix/deploy/smoke-tests.sh
@@ -23,9 +23,10 @@ check_dig_answer A "nilstrieb.dev" "161.97.165.1"
 check_dig_answer NS noratrieb.dev "noratrieb.dev..*3600.*IN.*NS.*ns1.noratrieb.dev."
 
 # Mail stuff
-check_dig_answer MX noratrieb.dev "mail.tutanota.de."
-check_dig_answer TXT noratrieb.dev "t-verify=dae826f2ae9f73a71cc247183616b6c9"
-check_dig_answer TXT noratrieb.dev "v=spf1 include:spf.tutanota.de -all"
+check_dig_answer MX noratrieb.dev "mail.protonmail.ch."
+check_dig_answer MX noratrieb.dev "mailsec.protonmail.ch."
+check_dig_answer TXT noratrieb.dev "protonmail-verification=09106d260e40df267109be219d9c7b2759e808b5"
+check_dig_answer TXT noratrieb.dev "v=spf1 include:_spf.protonmail.ch ~all"
 
 # Check HTTP responses
 http_hosts=(
diff --git a/nix/modules/dns/noratrieb.dev.nix b/nix/modules/dns/noratrieb.dev.nix
index 443234f..69c36a1 100644
--- a/nix/modules/dns/noratrieb.dev.nix
+++ b/nix/modules/dns/noratrieb.dev.nix
@@ -37,12 +37,13 @@ let
 
       TXT = [
         "protonmail-verification=09106d260e40df267109be219d9c7b2759e808b5"
-        "t-verify=dae826f2ae9f73a71cc247183616b6c9" # tuta verification
-        "v=spf1 include:spf.tutanota.de -all"
+        "v=spf1 include:_spf.protonmail.ch ~all"
       ];
 
+
       MX = [
-        (ttl 60 (mx.mx 10 "mail.tutanota.de."))
+        (mx.mx 10 "mail.protonmail.ch.")
+        (mx.mx 20 "mailsec.protonmail.ch.")
       ];
 
       subdomains = {
@@ -90,15 +91,13 @@ let
         _atproto.TXT = [ "did=did:plc:pqyzoyxk7gfcbxk65mjyncyl" ];
 
         # --- email
-        _mta-sts.CNAME = [ (cname "mta-sts.tutanota.de.") ];
-        mta-sts.CNAME = [ (cname "mta-sts.tutanota.de.") ];
-
         _domainkey.subdomains = {
-          s1.CNAME = [ (cname "s1.domainkey.tutanota.de.") ];
-          s2.CNAME = [ (cname "s2.domainkey.tutanota.de.") ];
+          protonmail.CNAME = [ (cname "protonmail.domainkey.deenxxi4ieo32na6brazky2h7bt5ezko6vexdbvbzzbtj6oj43kca.domains.proton.ch.") ];
+          protonmail2.CNAME = [ (cname "protonmail2.domainkey.deenxxi4ieo32na6brazky2h7bt5ezko6vexdbvbzzbtj6oj43kca.domains.proton.ch.") ];
+          protonmail3.CNAME = [ (cname "protonmail3.domainkey.deenxxi4ieo32na6brazky2h7bt5ezko6vexdbvbzzbtj6oj43kca.domains.proton.ch.") ];
         };
         _dmarc.TXT = [
-          "v=DMARC1; p=quarantine; adkim=s"
+          "v=DMARC1; p=quarantine"
         ];
 
         # retired