diff --git a/nix/deploy/smoke-tests.sh b/nix/deploy/smoke-tests.sh
index 84107f9..5054a61 100755
--- a/nix/deploy/smoke-tests.sh
+++ b/nix/deploy/smoke-tests.sh
@@ -23,10 +23,9 @@ check_dig_answer A "nilstrieb.dev" "161.97.165.1"
 check_dig_answer NS noratrieb.dev "noratrieb.dev..*3600.*IN.*NS.*ns1.noratrieb.dev."
 
 # Mail stuff
-check_dig_answer MX noratrieb.dev "mail.protonmail.ch."
-check_dig_answer MX noratrieb.dev "mailsec.protonmail.ch."
-check_dig_answer TXT noratrieb.dev "protonmail-verification=09106d260e40df267109be219d9c7b2759e808b5"
-check_dig_answer TXT noratrieb.dev "v=spf1 include:_spf.protonmail.ch ~all"
+check_dig_answer MX noratrieb.dev "mail.tutanota.de."
+check_dig_answer TXT noratrieb.dev "t-verify=dae826f2ae9f73a71cc247183616b6c9"
+check_dig_answer TXT noratrieb.dev "v=spf1 include:spf.tutanota.de -all"
 
 # Check HTTP responses
 http_hosts=(
diff --git a/nix/modules/dns/noratrieb.dev.nix b/nix/modules/dns/noratrieb.dev.nix
index 69c36a1..443234f 100644
--- a/nix/modules/dns/noratrieb.dev.nix
+++ b/nix/modules/dns/noratrieb.dev.nix
@@ -37,13 +37,12 @@ let
 
       TXT = [
         "protonmail-verification=09106d260e40df267109be219d9c7b2759e808b5"
-        "v=spf1 include:_spf.protonmail.ch ~all"
+        "t-verify=dae826f2ae9f73a71cc247183616b6c9" # tuta verification
+        "v=spf1 include:spf.tutanota.de -all"
       ];
 
-
       MX = [
-        (mx.mx 10 "mail.protonmail.ch.")
-        (mx.mx 20 "mailsec.protonmail.ch.")
+        (ttl 60 (mx.mx 10 "mail.tutanota.de."))
       ];
 
       subdomains = {
@@ -91,13 +90,15 @@ let
         _atproto.TXT = [ "did=did:plc:pqyzoyxk7gfcbxk65mjyncyl" ];
 
         # --- email
+        _mta-sts.CNAME = [ (cname "mta-sts.tutanota.de.") ];
+        mta-sts.CNAME = [ (cname "mta-sts.tutanota.de.") ];
+
         _domainkey.subdomains = {
-          protonmail.CNAME = [ (cname "protonmail.domainkey.deenxxi4ieo32na6brazky2h7bt5ezko6vexdbvbzzbtj6oj43kca.domains.proton.ch.") ];
-          protonmail2.CNAME = [ (cname "protonmail2.domainkey.deenxxi4ieo32na6brazky2h7bt5ezko6vexdbvbzzbtj6oj43kca.domains.proton.ch.") ];
-          protonmail3.CNAME = [ (cname "protonmail3.domainkey.deenxxi4ieo32na6brazky2h7bt5ezko6vexdbvbzzbtj6oj43kca.domains.proton.ch.") ];
+          s1.CNAME = [ (cname "s1.domainkey.tutanota.de.") ];
+          s2.CNAME = [ (cname "s2.domainkey.tutanota.de.") ];
         };
         _dmarc.TXT = [
-          "v=DMARC1; p=quarantine"
+          "v=DMARC1; p=quarantine; adkim=s"
         ];
 
         # retired