Proton Mail


Proton Mail is a Swiss end-to-end encrypted email service launched in 2014. It is owned by the non-profit Proton Foundation through its subsidiary Proton AG, which also operates Proton VPN, Proton Drive, Proton Calendar, Proton Pass and Proton Wallet. Proton Mail uses client-side encryption to protect email content and user data before they are sent to Proton Mail servers, unlike other common email providers such as Gmail and Outlook.com.
Proton Mail received its initial funding through a crowdfunding campaign, and initial access was by invitation only, but it opened to the public in 2016. There were two million users by 2017 and almost 70 million by 2022.
The source code for the back end of Proton Mail remains closed-source, but Proton Mail released the source code for the web interface, iOS and Android apps, and the Proton Mail Bridge app under an open-source licence.

History

On May 16, 2014, Proton Mail entered into public beta. Due to high demand, after three days beta signups were temporarily restricted to expand server capacity. Afterwards, Proton Mail implemented an invite-only waiting list.
In summer 2014, Proton Mail received from 10,576 donors through a crowdfunding campaign on Indiegogo, while aiming for. During the campaign, PayPal froze Proton Mail's PayPal account, thereby preventing the withdrawal of worth of donations. PayPal stated that the account was frozen due to doubts of the legality of encryption, statements that opponents said were unfounded. The restrictions were lifted the following day.
On August 14, 2015, Proton Mail released major version 2.0, which included a rewritten codebase for its web interface. On March 17, 2016, Proton Mail released major version 3.0, which saw the official launch of Proton Mail out of beta. With a new interface for the web client, version 3.0 also included the public launch of Proton Mail's iOS and Android beta applications and the removal of the waiting list.
On January 19, 2017, Proton Mail announced a Tor onion site. On November 21, 2017, Proton Mail introduced Proton Mail Contacts, a zero-access encryption contacts manager. Proton Mail Contacts also utilizes digital signatures to verify the integrity of contacts data. On December 6, 2017, Proton Mail launched Proton Mail Bridge, an application that provides end-to-end email encryption to any desktop client that supports IMAP and SMTP, such as Microsoft Outlook, Mozilla Thunderbird, and Apple Mail, for Windows and MacOS.
On July 25, 2018, Proton Mail introduced address verification and Pretty Good Privacy support, making Proton Mail interoperable with other PGP clients.
Around July 2021, Proton Mail's security and cryptographic architecture were both independently audited by Securitum, a European security auditing company, who uncovered no major issues or security vulnerabilities, and the audit results were publicly published.
In April 2022, Proton acquired SimpleLogin, a company based in Paris, France that provides email aliasing addresses. SimpleLogin functionality was subsequently integrated into Proton Mail, but the email masking service is also available independently to use with any email provider. That same month, Proton also announced that users would now be able to create @proton.me email addresses, to complement the @protonmail.com addresses that were previously the default choice.
In May 2022, following a rebrand of Proton, a space was added to the official name of the service, transitioning from ProtonMail to Proton Mail. In February 2023 a new version of the Proton Mail Bridge was launched that was considered to be a major improvement. Proton Mail Bridge allows Proton Mail to be used with any third party email client on Windows, macOS, or Linux, without losing end-to-end encryption.
In April 2024, Proton Mail launched a desktop app for Windows and macOS. A version for Linux is in beta. The desktop client is only available for users with a paying subscription, despite Proton AG's earlier comments that it would be "gradually be made available to all users, including free". The app also allows access to Proton Calendar.
In July 2024, Proton released a private AI writing assistant for Proton Mail called Scribe.

Encryption

Proton Mail uses a combination of public-key cryptography and symmetric encryption protocols to offer end-to-end encryption. When a user creates a Proton Mail account, their browser generates a pair of public and private RSA keys:
  • The public key is used to encrypt the user's emails and other user data.
  • The private key capable of decrypting the user's data is symmetrically encrypted with the user's mailbox password.
This symmetrical encryption happens in the user's web browser using AES-256. Upon account registration, the user is asked to provide a login password for their account.
Proton Mail also offers users an option to log in with a two-password mode that requires a login password and a mailbox password.
  • The login password is used for authentication.
  • The mailbox password encrypts the user's mailbox that contains received emails, contacts, and user information as well as a private encryption key.
Upon logging in, the user has to provide both passwords. This is to access the account and the encrypted mailbox and its private encryption key. The decryption takes place client-side either in a web browser or in one of the apps. The public key and the encrypted private key are both stored on Proton Mail servers. Thus Proton Mail stores decryption keys only in their encrypted form so Proton Mail developers are unable to retrieve user emails or reset user mailbox passwords. This system absolves Proton Mail from:
  • Storing either the unencrypted data or the mailbox password.
  • Divulging the contents of past emails but not future emails.
  • Decrypting the mailbox if requested or compelled by a court order.
Proton Mail exclusively supports HTTPS and uses TLS with ephemeral key exchange to encrypt all Internet traffic between users and Proton Mail servers.
In September 2015, Proton Mail added native support to their web interface and mobile app for PGP. This allows a user to export their Proton Mail PGP-encoded public key to others outside of Proton Mail, enabling them to use the key for email encryption. The Proton Mail also supports PGP encryption from Proton Mail to outside users.

Email sending

An email message sent from one Proton Mail account to another is automatically encrypted with the public key of the recipient. Once encrypted, only the private key of the recipient can decrypt the message. When the recipient logs in, their mailbox password decrypts their private key and unlocks their inbox.
Email messages sent from Proton Mail to non-Proton Mail email addresses may optionally be sent in plain text or with end-to-end encryption. With encryption, the message is encrypted with AES under a user-supplied password. The recipient receives a link to the Proton Mail website on which they can enter the password and read the decrypted message. Proton Mail assumes that the sender and the recipient have exchanged this password through a backchannel. Such email messages can be set to self-destruct after a period of time.

Data centres

Proton Mail is hosted in data centres maintained by Proton AG in three countries: Switzerland, Germany and Norway. Each data centre uses load balancing across web, mail, and SQL servers, redundant power supply, hard drives with full disk encryption, and exclusive use of Linux and other open-source software.

Controversies

In August 2025, two individuals of Phrack had their Proton email accounts disabled while working on an article describing an advanced persistent threat in South Korean computer networks. The individuals speculated their accounts being disabled were a co-ordinated attack by Kimsuky since this occurred after they used the emails to notify the affected parties. After the individuals contacted Proton's team for an appeal, the response was that their accounts were disabled for unauthorized activities which they concluded with “We consider that allowing access to your account will cause further damage to our service, therefore we will keep the account suspended.” Phrack's editors contacted Proton regarding the suspensions on August 22, clarifying hacked information was not passed through the email exchanges using Proton Mail infrastructure. A follow-up email later in September was sent, but no response came from Proton. When the incident was posted on social media, an official response by Proton on X on September 10, 2025, claimed the suspensions were due to an alert given by a Computer Emergency Response Team about the accounts violating terms of service and that they were investigating. The accounts were then reinstated after Proton's CEO Andy Yen made a post on X about it, clarifying that the individuals were suspended due to being hacktivists, which violated the terms of service, explaining there was a distinction between that and a journalist and that their suspensions were not targeting journalists as Phrack claimed. He said this reinstatement was an exception for reasons he could not disclose further for privacy reasons of the parties involved.

Reception

Technological reviews of Proton Mail are generally mixed. IT Pros review scores it 4 out of 5 stars. It lauds the end-to-end encryption of emails, including for non-Proton Mail users, a robust security, and the interfaces of both the web and mobile versions of the email client, with criticisms of the client's search function and the service's price versus the competition. PCMag also rates the service 4 out of 5 stars, praising the security, in addition to loading embedded images without returning the IP address to senders and setting expirations for messages, but questioning the cap on daily messages even with a subscription. TechRadar gives the service 4.5 out of 5 stars, calling it one of the best secure email services, although it noted limitations such as that it is not suited for voluminous messaging, the reluctance of websites to adopt the service, and that email subject lines are not encrypted. User review website Trustpilot scored the service 2.2 out of 5 stars based on 1,025 reviews.
Proton Mail was the recipient of three Lovie Awards, one gold and The People's Lovie in 2016, and one silver in 2017.