Create a Professional Business Email Address Securely

2026-04-29

image where a gmail address is being replaced by a custom one

Intro

If you own a business or a personal blog, a custom professional email with your brand's name on it may be one of the elements that transmit trust to your potential customers and clients.
Most importantly, it allows you to use whatever username you want, without limiting you to the available options from the generic email providers, as in this example with cafelisboa:

cafe lisboa gmail account creation example

Fun fact: there are actually cafelisboa businesses around the world using @gmail as their business email address domain 🙂I am not affiliated to any of those. I am simply providing an example for illustration purposes.

If you open Google maps, or just walk around your town you will find a lot of small and even medium sized business advertising using @gmail.com, outlook.com, @yahoo.com @gmx.net, @orange.fr, @sapo.pt and so forth and so on.

In this article I will explain you how to create an email account with your custom brand name, what options are available and which may be more suitable to your specific case and not least important, how to protect it from criminal hackers that may be tempted to exploit your great name and reputation to send spam in your behalf.

Don't worry, you don't need to be an IT expert to do this and in fact you can still use your favorite mailbox, such as Outlook or Gmail with the freedom of changing from one provider to another!

Each house, store, office or apartment have a fixed address associated to that specific geographical location - no matter who lives in a given apartment, the address does not belong to the tenants, it belongs to the house itself!

Email addresses follow different rules when compared to our regular "real life" addresses. If we choose to live under Gmail or Outlook, we will be not able to leave the house, we'll have to stick to the address we are given at Gmail.com or at Outlook.com. However, if we decide to create our own house "CafeLisboa", the house name will belong to us no matter where we go! And we can present our selfs as "someOne" that lives at CafeLisboa, even if you are temporary visiting the house Google or Microsoft.
AI generated image of houses with a sky ressembling matrix movie with a big @ character at the sky

When you own the address name, it really belongs to you and not to the service provider that hosts the servers and stores the emails for you - essentially you are paying a rent to those companies for allowing you to use the infrastructure and underlying services, not for the address.
This gives you the possibility to grab all your staff (your emails) and move to a new provider that offers better services or better privacy for example. Your email address will be kept unchanged, and your customers won't even know about anything. All of that is only possible if you own the most important part - the domain name!

A domain! You need a domain name

A domain name is what appears in a website address after the "www" part. For example, the domain of this blog is HARCKADE.COM, with the ".com" being the top-level domain.
A quick search by the top-level domain you desire to have at your address will give you a list of services, known as domain registrars, offering that option (e.g.: .com, .pt, .fr, .ch, .eu, .co.uk).
google search query: register .pt domain

The pricing for the same domain may be different on different providers and keep in mind that some top-level domains are more expensive than others. So check multiple options before making a final decision.

Some of the most popular registrars are:

https://www.hover.com
https://www.godaddy.com
https://www.namecheap.com
https://domains.google

I am not sponsored nor affiliated by any of them

As an extra note, it may also be useful to search if there is already a company or a brand operating under the name that you are planning to use. If you attempt to register a well known company name under an "exotic" domain such as apple.online, you may face legal problems due to trademark infringement and lose the domain ownership.

When you buy your domain you have to provide your and/or your company details. Some domains offer an option to hide your real identity for a small fee - this is known as Whois privacy.
If you visit https://www.whois.com/whois/ you can check who is the owner of any website. Here is the information you will find when looking for Harckade.com:
harckade whois result
Since I used the WhoIs privacy option, the details you see in the whois.com are hidden behind Hover provider information. Please note that it doesn't mean that some legal authorities cannot find the real identity behind the website owner by reaching out to Hover.

You also may have options to buy a mailbox directly from the domain vendor - before you choose to do so, read the next section of this article so you can make a more informed decision.

Select an Email provider

While purchasing the domain, you may find that some providers offer an out-of-the-box email solution. This is indeed the easiest way to have an email address, however it may come with some trade-offs, such as:

a poor UX (compared to big players)
web access only. Meaning that there is no possibility to use an email application - you have to open the website everytime to check your inbox
a single address name support
small inbox size
no additional services, just an email inbox (more details about this in the services section)
you may want to transfer to a different provider later and having a separte inbox may facilitate that process

In many cases you may want to have multiple addresses within the same inbox. This can be achieved using aliasses, which are supported by all of the three vendors. Example:

support@your-company.com
joe.doe@your-company.com
berlin@your-company.com
paris@your-company.com

I will focus in the options that can be used without the obligations of purchasing the domain name from the same service provider. This way I'll be covering all cases - both for the people that already have a domain name, and those that are still looking for one. I will compare:

Google Workspace
Microsoft 365
Proton Mail

You can use a single mailxbox to receive emails for all of your different domains: support@your-company.com, support@your-company2.com, support@your-company3.com. The main distiction is that on Protonmail you will have a limitation of only 3 domains for the cheapest business plan.

Business plans pricing and features comparison (March 2026)

If you are a non-profit organization a free plan may be offered to you. The prices may be different depending on your location.

I encourage you to explore other options before making a final decision about which email provider you want to chose considering different privacy and security policies, pricing, extra services and user experience (userfirendliness).
Leave this tab open while you do it, and return to this article once you complete the subscription process.

Now that you made your decision, it is time to configure technical settings on your Domain's and email's provider portals.

Configuration

In this section I will describe all the steps you need to take to configure your Domain Name System (DNS), to keep your and your clients inboxes safe.
But before we continue, let me explain what can happen if you skip some of the steps and just configure the basics. By basics I mean, the bare minimum DNS configurations that enable your email service to send and receive messages.

In the worst case scenario, a bad DNS configuration may allow anyone on the internet to send emails to other people on your behalf, propagating phishing and other malicious activity. When many people start report your emails as suspicious, you may get into a blacklist.
Getting into a blacklist means that your legit emails will be sent straight to the phishing and junk folders.

You can check if your domain is blacklisted using MX Toolbox.

Migration

If you already have a working email account, for example at Google Workspace and want to migrate to Protonmail, the critical rule is to perform the data migration before changing your DNS records.
Start by keeping your Google Workspace account active and using Proton's built-in Import data tool to automatically copy your existing emails, contacts, and calendar from Gmail to Proton. This secure background transfer preserves your folder structure and ensures all historical data is safely moved while your domain still routes new mail to Google, preventing any loss of past communications.

DNS - Domain Name System

This is the service that your domain name provider handles for you, when it comes to hardware and operation. The configuration however, is your responsability.
You can think about this system as an address book. Whenever you type an address in your browser, or your emailbox, DNS will resolve (translate) the domain you entered into an Internet Protocol (IP) address of the server where the website or email service is hosted. This allows your browser to then establish a connection with the server and load the resources you are looking for.

The DNS of your registar hosts public records that other DNS may consult when looking for your address to verify your identity. In practical terms, this allows email providers, such as Gmail or Outlook, to confirm that you are trustworthy and discard some of the traffic that attempts to impersonate your address.

If you visit your registar and navigate to the DNS settings page you will find all the records that you currently have configured. There are many different types of records - this is not important for our discussion today, so I will only focus on the email relevant records and skip the record type explanation (you can find the full list at Wikipeda).

Harckade.com DNS records example:
harckade DNS records

In the next section I will explain you the importance of each record and how to configure it.

DKIM, SPF, DMARK and other Pokemons

Those names may look strange and scary, but behind each one of them there is a simple and a logical explanation. But even if you don't fully understand them, the important part, is that you configure them!

Before you proceed with the configuration, let me tell you where you can find all of these values.
Open your email service and navigate to settings. Then open "Domain names" or "email & authentication" section and add new domain. Bellow is the example for Proton Mail.
Proton Mail add domain

Verify your ownership

The first record you will have to add is to prove that you own the domain. Why that is necessary? Because otherwise the email provider wouldn't be able to determine who owns the domain and anyone could use ".gov" domain to send emails on behalf of government.
Proton Mail verification domain
The record has a type, host name and a value. You need to copy those values exactly as provided and add them to your DNS records configuration.
Add verify DNS of type TXT to verify ownership of the domain

Control where incoming emails will land

To receive emails in the email provider of your choice (where you bought your subscription), the registrar DNS needs to forward all incoming messages to the provider's address. That is achieved using the Mail Exchange (MX) records. Usually the provider has multiple servers to guarantee a better level of availability in case of a disaster or increased traffic.
MX record example for Proton Mail
Add the respective MX record to your DNS.

Prevent others from using your identity

You may think that the ownership record you previously added would be enough to prevent other from using your email, but in fact that record is only useful for the service provider itself - a malicious email provider wouldn't mind send emails at behalf of others. So, the Sender Policy Framework (SPF) record was invented. It signals to other email providers (your customers) that you allowed a particular service to send emails using you domain address.
This may be useful for automation - you may allow multiple services and providers to send emails on your behalf (e.g.: send email notifications using third party email sending service).
SPF record configuration for Proton Mail
Add the respective SPF record to your DNS.

DKIM (DomainKeys Identified Mail)

In simple terms, DKIM allows providers (such as Google, Outlook or Yahoo), to validate the integrity of the email that you are sending and to ensure that it was not tempered in transit, by validating its digital signature. DKIM example

Technical explanation:
Similarly to a physical signature at the end of a letter, that allows you to identify who wrote it, a digital signature has the same goal but a slightly different mechanism. Instead of relying on visual recognition, it uses a special encryption key that is composed of two elements that are unique to your email account and your service provider.
The first element is a private key, that is stored on the email provider server and is hidden from everyone, used to sign the email. The second one is the public key, that is stored on your DNS and is visible to the entire internet - it allows to decrypt the signature and to verify and validate it.

The digital signature itself is a combination of mathematical operations: hashing and encryption.
You can think about the hashing as a summary of the entire messagem, condensed in a single number that would drastically change even if you just change a single comma or space in your message. It is a one way operation, meaning that it is easy to be calculated, but something extremely difficult to reverse. If you give someone that summary number, it will be impossible to find out the original message unless you try all possible combinations to find it.

Once hash is generated, it is encrypted using the private key and the message is sent. When it arrives to the destinatary email box (e.g.: Gmail), Google will check your DNS, get the public key stored in the DKIM record and decrypt the signature. Then, Gmail will calculate the hash of your message and compare it with the previously decoded number. If there is a match - perfect, message can be trusted! If it fails, it means that someone tempered with its conent during the transmition.

Remember that when you send without DKIM, your emails are much more likely to land in the Spam folder.
If you send with a valid DKIM signature, you establish trust.

DMARC = SPF + DKIM

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is built on the foundation of SPF and DKIM validation.
Similarly to a security guard checking credentials at a building entrance, DMARC acts as a verification layer that validates whether an incoming email is legitimately from the claimed sender. Instead of relying on a single check, it combines these protocols to create a comprehensive authentication system. DMARC policy example

The first part of the DNS record, is the DMARC version that is supported. Think of it like a software header: it tells the receiving server, "This is a DMARC record, and it follows version 1 rules.".
For now only DMARC1 exists, but the the protocol is "future-proof" and can pottentianlly allow servers to distinguish between the old and new standards.
The second part is the policy that tells receiving servers what to do when an email fails authentication: take no action, quarantine it (send to spam), or reject it entirely.\

Once the email arrives at the recipient's inbox (e.g.: Gmail), Gmail will check your DNS, retrieve the DMARC record, and evaluate whether the email passed SPF or DKIM. Then, Gmail will apply the policy you've set. If you've set it to "reject" and the email fails, it won't be delivered. If you've set it to "quarantine," it may go to spam. If you've set it to "none," it will be delivered but you'll receive reports about the activity.

Optional DMARC parameters
These control reporting and alignment behavior:

rua (Aggregate Reports URI): Specifies where to send daily aggregate reports (XML files) summarizing who is sending email on your behalf and how many passed/failed.
- Example: rua=mailto:dmarc-reports@yourdomain.com
ruf (Forensic Reports URI): Specifies where to send real-time failure reports (often containing the full message content) for specific failed emails. Note that many providers limit this due to privacy concerns.
- Example: ruf=mailto:dmarc-forensics@yourdomain.com
sp (Subdomain Policy): Defines the policy specifically for subdomains (e.g., mail.yourdomain.com). If omitted, the main p policy applies to subdomains as well.
- Options: none, quarantine, reject.
adkim (DKIM Alignment Mode): Controls how strictly DKIM alignment is checked.
- r (Relaxed - default): The domain in the DKIM signature must match the domain in the "From" header, but subdomains are allowed (e.g., mail.example.com matches example.com).
- s (Strict): The domains must match exactly.
aspf (SPF Alignment Mode): Controls how strictly SPF alignment is checked.
- r (Relaxed - default): Subdomains are allowed to match.
- s (Strict): Domains must match exactly.
pct (Percentage): Specifies the percentage of messages to which the DMARC policy should be applied.
- Default is 100.
- Useful for testing: You can set pct=10 to apply the policy to only 10% of traffic while monitoring results before rolling it out to everyone.
fo (Failure Options): Defines under what conditions a forensic report (ruf) should be generated.
- 0: Generate if either SPF or DKIM fails (default).
- 1: Generate if both SPF and DKIM fail.
- d: Generate if DKIM fails.
- s: Generate if SPF fails.

Questions & Suggestions

If you have any questions or suggestions, please send them over using the contact page. Thank you!