Tuta (Tutanota) MX Records: Setup Guide for Custom Domains

How to set up MX records for Tuta (formerly Tutanota) custom domains. Correct values, DNS configuration steps, and encryption notes.

That is it, one record. Unlike providers like Google Workspace that use five MX records for redundancy across multiple servers, Tuta routes all email through a single hostname. Tuta handles redundancy and load balancing behind that hostname on their infrastructure.

Step-by-Step Setup

Step 1: Add Your Domain in Tuta

Before touching DNS, add your domain in the Tuta admin console:

1. Log into your Tuta account at mail.tuta.com
2. Go to Settings (gear icon)
3. Navigate to Email and then Custom email domains
4. Click Add custom domain
5. Enter your domain name (e.g., yourdomain.com)
6. Tuta will show you the DNS records you need to add, including the MX record, a TXT verification record, and optionally SPF, DKIM, and DMARC records

Write down or copy all the records Tuta provides. You will need them in the next step.

Step 2: Add the Domain Verification Record

Tuta requires you to verify domain ownership before email will work. They typically provide a TXT record to add to your DNS. The exact value is unique to your account, so copy it directly from the Tuta admin console.

Add this TXT record at your domain registrar:

• Type: TXT
• Host/Name: @
• Value: The verification string from Tuta

Step 3: Add the MX Record

Log into your domain registrar or DNS provider (wherever your domain's DNS is managed, such as GoDaddy, Cloudflare, Namecheap, etc.) and navigate to the DNS settings for your domain.

Remove any existing MX records. If your domain has MX records from a previous email provider or from your registrar's default email forwarding, delete them. Leaving old MX records will cause email to be delivered unpredictably, with some messages going to Tuta and others going to the old provider.

Add the Tuta MX record:

• Host/Name: @ (represents your root domain)
• Type: MX
• Value/Mail Server: mail.tutanota.de
• Priority: 10
• TTL: Leave at default (3600 is fine)

Save the record.

Step 4: Add SPF, DKIM, and DMARC Records

Tuta provides additional DNS records for email authentication. While the MX record handles incoming email routing, these records protect your outgoing email:

SPF record. Add a TXT record at @ with the value Tuta provides. It will typically include include:spf.tutanota.de. You can verify your SPF configuration at spfrecordcheck.com.

DKIM records. Tuta generates DKIM keys for your domain. Add the CNAME or TXT records exactly as shown in your Tuta admin console. Verify the setup at dkimtest.com.

DMARC record. Tuta recommends adding a DMARC policy. A basic starting point is v=DMARC1; p=quarantine; as a TXT record on _dmarc.yourdomain.com. Check your policy at dmarcrecordchecker.com.

Step 5: Wait for Propagation and Verify in Tuta

DNS changes take time to propagate, anywhere from a few minutes to 48 hours, though most changes are visible within one to four hours.

After waiting, go back to Tuta's admin console. Tuta will check whether it can see your DNS records. Once verification passes, your domain is active and ready to receive email.

Step 6: Verify With an MX Lookup

Go to mxrecordchecker.com and enter your domain. You should see a single MX record:

• mail.tutanota.de with priority 10

If you see this, your MX configuration is correct. If you see old records or nothing at all, double-check your DNS settings and wait a bit longer for propagation.

Step 7: Send a Test Email

Send a test message from an external email account (a personal Gmail or Outlook address) to an address at your custom domain. If it arrives in your Tuta inbox, everything is working. If it bounces, verify that the mailbox or alias exists in Tuta and that the MX record is live.

How Tuta's Encryption Affects MX Configuration

Tuta is known for its end-to-end encryption, but it is important to understand what this means for MX records specifically: the MX configuration itself is no different from any other email provider. MX records just route email to Tuta's servers, and encryption happens after the message arrives.

Here is what Tuta's encryption does and does not affect:

Between Tuta users. Emails sent between two Tuta accounts are automatically end-to-end encrypted. The sender's client encrypts the message, and only the recipient's client can decrypt it. This happens regardless of your MX configuration.

From external senders. When someone from Gmail or Outlook sends you an email, the message arrives at Tuta's servers via standard SMTP, routed by your MX record. Tuta encrypts the message at rest once it reaches their servers, but the transmission from the sender's server to Tuta is protected only by TLS (transport encryption), which is standard for all email providers.

Password-protected emails to external recipients. Tuta lets you send encrypted emails to non-Tuta users by setting a shared password. This does not involve MX records. It works through a notification email and a secure web link.

The practical takeaway: your MX record setup for Tuta is identical to setting up any other email provider. The encryption benefits are a feature of Tuta's software, not something you configure at the DNS level.

Common Issues and Troubleshooting

Tuta says domain verification failed. The TXT verification record may not have propagated yet. Wait an hour and try again. Also confirm you added the record at the correct DNS provider. If you use Cloudflare for DNS but registered at GoDaddy, the record needs to be at Cloudflare.

Email still going to old provider. Old MX records may still be present. Check your DNS for any MX records other than mail.tutanota.de and remove them. Use mxrecordchecker.com to see what is actually live.

Emails bouncing with "user unknown." The MX record routes email to Tuta, but the specific address must exist as a mailbox or alias in your Tuta account. Log into Tuta and verify the address is configured.

Cannot add domain due to plan limitation. Custom domains require a paid Tuta plan. Verify that your subscription includes custom domain support.

MX record shows correctly but Tuta admin still says "not verified." Tuta's verification checks may lag behind actual DNS propagation. Wait 15-30 minutes and refresh the admin page. If the issue persists after several hours, contact Tuta support.

Migrating to Tuta From Another Provider

If you are switching to Tuta from Google Workspace, Microsoft 365, or another email provider, plan the transition carefully:

Before switching: Lower the TTL on your current MX records to 300 seconds at least 24 hours before the migration. Set up your Tuta account, add your domain, and create all necessary mailboxes and aliases.

During the switch: Remove old MX records and add the Tuta MX record. Verify the change at mxrecordchecker.com.

After the switch: Keep access to your old provider for a few days to catch any email that was delivered there during propagation. Note that Tuta does not currently offer an automated email import tool, so you may need to manually forward important messages from your old account.