I Do Not Recommend Proton Mail

At the end of 2020, I needed an online office suite. Something that could handle business emails, as well as manage and share calendars and address books for one of my ventures. One thing was certain: I wasn’t about to throw my money into Google Apps for Work Apps for Business G Suite Workspace.

Back at the time, there were few options to choose from that would not only play nicely with the rest of the corporate world – namely Microsoft’s and Google’s platforms – but also pinky promise to not sell your data to the highest bidder. I didn’t pay attention to any privacy claims made by the platforms, because when you run a business, you almost always lose whatever privacy you had left, due to open company registries, transparency laws, KYC procedures, and other measures imposed by “modern” bureaucratic governments. Instead, what was more important to me was the reliable delivery of e-mails – which is the main reason why I decided against self-hosting in this case – as well as a good track record regarding data security. I also wanted a service that is not storing/processing data within the US, for compliance reasons.

In terms of features, I was willing to put up with a bit of a PITA if the service looked promising and gave the impression that customer feedback is taken seriously and improvements would happen over time. Handling mail and calendar events was non-negotiable, everything on top of that was optional. However, with business growth over time, requirements changed and I was expecting whatever platform I was signing up for to keep up with evolving needs.

After doing extensive research and trying out a few options, I decided to go with Proton Mail primarily because at the time it appeared to be the platform making the most progress in just a short time, in an otherwise stagnant field that is the groupware/online office market. I signed up for their ProtonMail Plus plan, which back then was $48 per year. I paid another $9 for five additional addresses, and another $18 for one additional domain, bringing the total up to $93 per year – nearly double the price of today’s Google Workspace Business Starter plan. After the first year I upgraded to the Proton Unlimited plan, that was more expensive, only to downgrade again to the Mail Essentials plan a year later. My growing frustration with the service led me to downgrade and start preparing to leave Proton altogether.

In 2020, however, Proton’s pitch was compelling: integrated end-to-end encryption – meaning, not having to deal with each user’s GPG setup individually – servers based in Europe and not in the US – an argument that aged like milk – a principled stand against surveillance capitalism, and a decent track record in terms of availability and security.

Fast-forward to today, and I find myself walking away from Proton with a sense of frustration and disappointment. What began as a promising e-mail provider for the people has slowly devolved into a technically unreliable, ethically questionable, and financially manipulative service.

In this post, I want to detail key points of my own experience with Proton Mail as a paying customer over the past years, highlight the major red flags I’ve encountered, and explain why I do not recommend this service.

An Interesting Foundation

One of Proton Mail’s foundational marketing messages is that it’s a community-supported, privacy-respecting alternative to Big Tech – developed by scientists who met at CERN and shared a vision of an Internet that puts people first and defends freedom.

 
However, this narrative is complicated by the €2 million in funding Proton received from the EU’s Horizon 2020 program. While this isn’t inherently problematic, it raises questions. A service claiming to be independent and supported by its users has, in fact, been partially funded by government money. And it’s not just any government money, it’s Horizon money.

For example, one key part of the subsequent Horizon 2021-2022 program agenda was HORIZON-CL3-2021-FCT-01-02: Lawful interception using new and emerging technologies (5G & beyond, quantum computing and encryption). How convenient that just a year earlier – in Horizon 2020, which is referenced multiple times in the 2021-2022 agenda – a company running an e-mail and a VPN service was funded.

Proton published the following statement regarding their EU funding:

This grant also does not create any commitments on our part, other than using the funding for the purposes that we have outlined in our proposal to the European Commission. It does not alter our Swiss jurisdiction, nor can it compel us to do anything that would compromise the security of our product and privacy of our users in any way.

Let’s keep this in mind.

Proton Mail Bridge: A Frustrating, Fragile Mess

Starting with one of the biggest technical issues I encountered with the service: The Proton Mail Bridge. The Bridge is the essential tool that allows paid – only paid! – Proton users to integrate their supposedly encrypted e-mail with desktop clients like Outlook, Thunderbird, or Apple Mail.

The Bridge is a workaround to access e-mails stored behind Proton’s proprietary API using software that supports open standards like IMAP and SMTP. It is basically a translator that converts requests made from regular e-mail clients into requests that are understood by Proton’s servers. Proton implemented this solution because it would have otherwise been impossible for them to integrate with literally any other e-mail clients besides their own one. People who prefer using Thunderbird are unable to do so without the Bridge because Thunderbird speaks IMAP and POP3, but Proton’s mail service doesn’t speak either of those protocols. In theory, the Bridge is a way to upgrade an environment like e-mail – that was never anticipated to support things like encryption when it was first built – while still maintaining compatibility with existing software.

However, in practice, the Proton Mail Bridge is an unstable, poorly supported piece of software with a frustrating set of limitations and critical bugs that Proton appears to be unable to solve. Over the past years, I have encountered so many issues with the Bridge that at some point I gave up and used Proton’s Mail Export Tool to retrieve and back up my e-mails.

While at the beginning, technically knowledgeable people like myself could share information about – and maybe find solutions to – issues with the Bridge in Proton’s GitHub repository, sometime in 2024 Proton decided to take the issues section down. As so much for transparency and community, I guess.

I can imagine that one key reason for Proton to remove the issues tab from GitHub was reports of critical bugs, that were open for years without a definitive resolution. But that’s just speculation. Whatever led to Proton hiding issues with their software behind the customer support, it certainly didn’t make things better for their users, myself included. I more often than not found my mailbox to differ in content, when comparing my local IMAP client (using the Bridge) and the Proton web interface. Delayed syncs, duplicated messages, and random errors became routine headaches. I found myself regularly clicking the “Repair” button, that Proton placed within the Bridge’s advanced settings. Especially for a business that relies on consistent and seamless e-mail communication, this is unacceptable.

Mobile Apps

Using Proton Mail comes with having to use the official Proton mobile apps, which to be fair have gotten significantly better over the past years, but are nevertheless inferior to popular IMAP/SMTP clients like K-9 Mail Thunderbird. While it’s possible to connect Thunderbird on Android to the Bridge while the phone can reach whatever other device is running the Bridge, it isn’t practical. People online even went as far as to run the Bridge headless on a VPS and connect their device to that, which is nothing short of a security disaster waiting to happen.

The Proton apps are open-source, which is positive. Unfortunately, only ProtonVPN and Proton Pass can be obtained from F-Droid – all the other apps (Mail, Calendar, Drive) must be obtained from Google Play or via Obtainium and come with the Sentry (SaaS) “tracker” enabled (for crash reporting).

While the Proton Mail app is generally usable, the Proton Calendar app is a PITA. It’s clunky, navigation and management of events is tedious and it doesn’t integrate into the rest of the mobile operating system. Even tasks as simple as importing ICS files are practically impossible and require jumping through various hoops.

It’s the same story with the integrated address book in Proton Mail – for which there is no dedicated app. It’s impossible to bi-directionally sync address books. That’s a crucial feature for business use, yet contacts syncing isn’t just not a first-class citizen, it’s not even a first-world country, figuratively speaking.

Nu DNS, who dis?

Another technical letdown happened when I had to migrate my DNS account and a mistake within only a handful of records sneaked in unnoticed along the way. For a few days a generally lower-volume domain, that was configured in my Proton account, was effectively unable to retrieve e-mail. I only got to notice this when I was actively waiting for an e-mail confirmation from another service, which never arrived. The Proton Mail service never notified me that something might be wrong with the DNS configuration. Even after manually checking in the account settings, the domain was all green.

While this was clearly an issue with my domain registrar and the migration that was performed – which I should have triple-checked thoroughly – it nevertheless uncovered another flaw in the mail service’s reliability. Ideally, Proton would have alerted me within a few hours after noticing the DNS configuration being broken.

I have intentionally tried to reproduce this issue when I migrated away from Proton Mail, by changing parts of the DNS configuration and waiting to see if Proton would notice it within a reasonable amount of time. The results were a bit of a mixed bag and highly depending on which of the records changed, and in what way. However, the quickest I could get Proton to notice a break in DNS was to completely remove all Proton-related records on a domain that had TTLs of 5 minutes. In that case, Proton would inform me a little over 24 hours after the changes were published and already propagated (e.g. visible for services like dnschecker.org). Given that most e-mail servers will (on average) retry re-delivery for 48 to up to 96 hours, no e-mails would have gone missing. However, in the case of my (unintentionally) broken DNS, I did lose e-mails.

2log || !2log ?

Apart from the technical issues, there’s a general issue concerning Proton’s credibility, that has been unfolding over the past few years. The negative sentiment from users toward Proton escalated in 2021, when a critical story about Proton’s handling of legal matters emerged.

The tl;dr is that a French climate activist was arrested after Proton handed over IP logs to Swiss authorities, who were acting on a request from Europol, which originated in France. “Hol’up! Where did IP logs come from? Didn’t Proton say they don’t log such information? And why didn’t the guy notice the dead warrant canary?!”, you might be rightfully asking.

Well, it turned out, they sort of lied and they sort of did log things. Oh, and also, Proton doesn’t think that under Swiss law a warrant canary is “meaningful” (?!), because they will generally notify people when they’re permitted to do so, but then again when they’re not they basically hope for the authorities to eventually notify people and all in all it might be different when foreign authorities are involved, blah blah blah. Long story short, Proton lied about the no logs part and they don’t care to implement a simple warrant canary that drops dead, because they prefer the convoluted legal procedures that might eventually notify the user of an ongoing investigation.

While Proton later claimed that their hands were tied by Swiss law (and to some extent, they surely were), the fact remains that they were technically able to log and hand over this data, contradicting their earlier assertions. To make matters worse, their response to the controversy was more focused on technicalities than accountability. For many privacy advocates, this incident was the moment Proton lost its credibility. For me, it was another red flag:

A service that says one thing, but then does another thing, is not one I can trust with sensitive business information – or any information in general for that matter. Why would I continue to believe that they won’t sell my data to the highest bidder? Why would I continue to put up with their non-standard architecture that requires non-standard software to access my data and effectively locks me into their service, when I cannot trust them to keep the promises they made? Why would anyone still believe any of what they write about their “zero-access architecture” when they can just make a copy of the plain-text mail that is being submitted to their SMTP server long before it ends up in that “zero-access” storage? I was paying for a service, believing their promise of not being the product, just like how other people might have paid for their service, believing their promise of not logging IP addresses.

These days, Proton’s transparency report also paints quite a different picture than what their statement back in 2019 was, remember?

This grant also does not create any commitments on our part, other than using the funding for the purposes that we have outlined in our proposal to the European Commission. It does not alter our Swiss jurisdiction, nor can it compel us to do anything that would compromise the security of our product and privacy of our users in any way.

Meanwhile going from 3.017 complied-with and 750 contested orders (a ratio of approximately 4:1) in 2020 to 10.368 complied-with and 655 contested orders (approximately 16:1) in 2024 speaks a different language. Of course, we might argue that the user numbers have significantly increased as well. That, however, doesn’t exactly explain the reduction in contested orders as opposed to the significant increase in complied-with ones.

And if we look at another, similar, more recent example it becomes obvious how Proton is continuously trying to dodge bad press by saying one thing (“Proton does not require adding a recovery address”), but then evidently doing another thing (requiring a recovery address when signing up through a VPN service or Tor). As previously explained, Proton won’t save you when the government comes knocking, because it legally can’t. For my specific use case, the supposed privacy they are trying to sell was completely irrelevant. Their behavior in those areas, however, demonstrates a certain degree of deceitfulness from their side. It appears that every time bad press hits Proton, they are trying to twist the harsh reality that they have to comply with into some sort of one-off exception. All while continuing to paint the picture of being a privacy safe haven that everyone can be part of for only double the price of a Google Workspace subscription and the willingness to endure their painfully bad Proton Bridge.

The Marketing Machinery

The deceptive tactics of Proton don’t seem to be stopping with bad press either. If you visit the Proton For Business website at the time of writing, this is what you’ll be greeted with:

“Trusted by over 50,000 businesses and 100 million people around the world.”, wow, that’s a lot of businesses and people. Also, Proton Mail apparently was featured in The Guardian, The New York Times, Time, and… the United Nations? That’s an unusual source for a for-profit software company to be featured in.

Unfortunately, the logos aren’t linked to any articles or pages that support their claim. However, after some research, I found a post in the Proton blog that says:

Proton Mail is the tool recommended by the United Nations for documenting human rights abuses.

The text “recommended by the United Nations” links to this site, which unfortunately doesn’t exist anymore. On the Wayback Machine, however, we can find the original page, which is an information page for the Independent Investigative Mechanism for Myanmar (IIMM). The IIMM is a UN entity, led by Nicholas Koumjian, who was interviewed by Reuters back in 2021, where, similar to the wording on the IIMM page, the following sentence appeared:

People with such information should contact the investigators through secure means of communication, he added, citing apps such as Signal or a ProtonMail account.

It seems that the mentioning of ProtonMail (amongst other platforms) can be primarily attributed to Nicholas Koumijan, and specifically the unit’s dedicated domain myanmar-mechanism.org – which in fact has its MX records configured to mail.protonmail.ch and mailsec.protonmail.ch – and serves the purpose of letting affected people in Myanmar know how to reach out to them.

However, it is a very far stretch from Proton to suggest that, quote, “ProtonMail is […] recommended by the UN […]”, and it is straight out disingenuous to slap the UN emblem onto their main page because one out of the approximately 37.000 staff members, and one out of the dozens and dozens of specialized agencies and programs working at/for/with the UN mentioned ProtonMail, amongst other services, as a possibility for specific people to get in touch. Especially so, when Proton can’t even seem to keep their services available from within Myanmar.

I would be curious to know whether the United Nations legal team has approved Proton’s use of the UN’s reputation and emblem for the purpose of advertising the e-mail service. If so, I’m genuinely puzzled by the fact that Proton didn’t go all the way and make it a prominent customer success story, as one would expect it from a marketing department.

Given that at this time information on the UN recommendation is sparse, Proton should maybe reconsider having it on their social channels as well as their blog, and the UN emblem on their Business landing page and instead replace it with the IIMM logo. My guess is, though, that having the globally recognized UN emblem instead of the IIMM logo simply sells better.

Anyhow, judging by the search results that I’m getting for the other logos, Proton might as well consider to scrap the whole logo thing altogether:

While this whole deal seems like a pedantic detail to point out, it is worth mentioning as it demonstrates the marketing “don’t ask for permission, ask for forgiveness” shark mentality that Proton appears to be living by these days. They point towards Big Tech with blame, but then turn around and employ the same dishonest tactics to catch people’s attention and grow. Instead of keeping their heads down and putting in the work, they seemingly try to shortcut it by marketing a convincing enough illusion, and meanwhile doubling down on promises they already broke in the past:

A reputable VPN service should never log anything that might compromise its customers’ privacy. That way, even if authorities seized its servers or an adversary accessed its storage, they would find nothing useful, anyway.

At Proton VPN, we commission annual third-party audits to verify our strict no-logs policy. And unlike many other VPN companies, we publish these audits in full, so you can have confidence that when we say we keep no logs, we mean it.

It is not a one-off, that we encounter on Proton’s website. The deceiving marketing tactics are visible throughout other channels as well:

“Keep your personal data hidden from advertisers, …”? Maybe. "… governments and hackers", highly unlikely.

Also, on a different note, why is it that pages on the Proton website, especially the blog, randomly disappear? In every other Proton blog post, you can find links to sites that were at some point scrubbed from their website.

Just take the “RAM-only VPN servers” example from above: When you scroll down to “Final thoughts” you will find a link saying “Performing routine internal and external software audits”. The page that used to be behind that link has been replaced with a redirect to Proton’s Open Source page. The content of that page is nowhere else to be found on their website. The archived page says “Transparency is the key to trust” – well, Proton, how about being transparent enough to leave pages online and just add an “Update <date>”-section to them if things change? Yes, like the “Update 29 March 2022”-section that you already added to that specific page.

Why not leave pages online for future reference? I am happy to donate 18GB of unused Proton Drive to the editorial members of the Proton blog if it’s a storage issue!

Upsell, Lock-In and Retention Tactics

Apart from the odd marketing that Proton employs to dodge bullets and gain customers, their products have some features and limitations that I believe are upsell, lock-in and retention tactics.

What do you mean “remove a domain”?

For example, one of such tactics that you will encounter with Proton, is in regard to any type of address, whether it’s one within their Proton domains or one with a custom domain. While you can happily add as many addresses as you’re willing to pay for, you cannot simply remove them anymore.

The reason for that is that Proton forces you (for reasons they don’t explain) to delete all e-mails that use the respective address, before allowing you to remove it from the system. Assuming you were using a custom domain for a few years and eventually decided to turn it off, or worse (for Proton), move it to a competitor. You might be paying an extra for having that domain in your Proton account domain, so it makes sense for you to remove it. However, you might still need to keep e-mails from that domain for various reasons.

Proton will not let you delete the address(es) and the domain for as long as you have those e-mails in your account. If you’re paying an extra for the domain, or for additional addresses, you will have to continue to do so, even after you deleted or migrated the DNS records and the domain is no longer pointing towards Proton. Why? I don’t know. It is a, *cough*, technical limitation.

Your only option is to use the Bridge – which, as we learned, cannot be trusted with data integrity – or their Export Tool to download all the e-mails and store them somewhere else, and delete the online versions from their servers, before trying to remove the address(es) and the domain. Then, if you ever need one of those e-mails, e.g. to forward information via your Proton Mail account, you will have to dig through the exported .eml files to search for it and then upload it as a regular file attachment.

This limitation makes it cumbersome to ever remove addresses or domains, especially for non-technical users, and likely leads to people paying for additional addresses and domains, even though they don’t actively use them anymore.

lock-in@pm.me

Another tactic for upselling, lock-in and retention that I encountered concerns Proton’s @pm.me addresses. When you sign up for an account on Proton Mail, you automatically get an e-mail address under one of their longer domains, which is usually your username@proton.me or username@protonmail.com. One of the perks that Proton offers to paying customers is a number of shorter, easy-to-remember, easy-to-spell @pm.me addresses. Those addresses can be added to your account after you sign up for a paid plan. They can be of use for different situations, in which you wouldn’t necessarily want to use your own address and domain – e.g. when being asked in person for an e-mail, for example for in-store returns of purchases, or when signing up for webinars, meetups and other things from which you might expect to receive valuable information at first, but also annoying follow-ups later on.

Over the past years, I used three additional @pm.me addresses, next to the original @protonmail.com address that came with the account. I never used the included protonmail.com address. All the other addresses, except one particular @pm.me address, were solely used as dummy/burner addresses, so I didn’t care too much about those either.

However, the one @pm.me address that I did care about, I had used for important accounts and interactions. In hindsight I realized that I made a mistake by using a domain I have no control over (@pm.me) for important communication, and that I should have used addy.io with a custom domain I controlled instead. Everyone who ever tried to register a domain that matches ^[a-z\.]{5}$, though, will know that it’s impossible (a.k.a. financial suicide) and understand why having an address that’s @pm.me is kind of neat.

Part of the reason why I used that particular address was because it is easy to spell out over the phone; And because I was assuming that if I ever wanted to leave Proton Mail, I could simply delete all the other addresses, leaving only the important @pm.me address active and downgrade the account to the free plan that only includes one address. That’s at least how I interpreted Proton’s extremely vague documentation.

Fast-forward to 2025 and I migrated my custom domains away from Proton, to a different service that supports open standards like IMAP. I also updated all online accounts that I cared about and removed the Proton burner addresses, only retaining the one @pm.me address that I had planned on keeping when downgrading my account to the free plan.

Unfortunately, it turns out that it’s not possible to set the @pm.me address as default and remove the original @protonmail.com address, because there is no button to do so in the Proton Mail settings UI. All addresses can be removed, except for the original one. I became suspicious, so I reached out to the support. After multiple days of back-and-forth – because the support would only answer to e-mails once a day – with vague and unclear information provided by the agents, I eventually got a more insightful response on why changing the primary address is not possible:

The main reason is that when you created your account, a key was generated to match the username, which in turn allows for the secure sending and receiving of emails.

Another limitation that makes it impossible for me to keep my preferred @pm.me address after downgrading. I wished that this would have been stated clearly in Proton’s official documentation.

The support offered a workaround for which they would have to delete the @pm.me address that I would like to keep, so they could whitelist (?) it, so that I could create a new @proton.me account with the same local part (username) for the @pm.me address to be assigned to. Considering that the round-trip time for support mails is a full day, I’m imagining that if e-mails arrive during the period the address is not available, they will be rejected by Proton’s mail servers.

Long story short, you can’t easily choose which address to keep once you decide you want to leave Proton. The username (and hence address) that you used initially to sign up for the service is going to be the one that is being kept, even when you “owned” other addresses during your time as a subscriber. This is not being made obvious anywhere in the documentation. Whether this is an active tactic to lock users in or a genuine limitation of Proton’s complex architecture is hard to say. For an end-user, however, the inconvenience might suffice to make them continue paying for the lowest-tier plan, for the sake of not having to deal with the situation and, in the worst case, break things.

Even if I were to go through the hoops of creating a new account and transferring the @pm.me address to it, another (purely artificial) limitation would kick in – which the customer support didn’t mention a single time, by the way:

If you activated your short @pm.me address with a Proton Free plan, you can only receive emails at that address. If you want to send emails from your @pm.me address, you’ll need to upgrade to a paid plan.

At this point, it should be obvious that the short @pm.me addresses are a way to upsell and lock in users. There’s nothing wrong with having premium features that are only available to paid users, however, I feel like the Proton documentation and, more importantly, the upgrade and downgrade pages are kept frustratingly vague around these topics. At this point, I cannot tell if it’s simply due to lack of care or intentional.

A Pattern of Over-Promising and Under-Delivering

Throughout my time with Proton, I observed a consistent pattern of ambitious promises followed by poor execution. As stated at the beginning, my primary reason for going with Proton initially was the speed with which they iterated on their products, making it seem like even if specific features were lacking, it was only a matter of time until they’d be improved upon. However, with the company growing – especially horizontally, with new services like Drive, Pass, Sentinel, and even a Wallet – the speed at which core products improve has decreased significantly.

To put this into perspective: Only since December 2023 – nearly a decade after Proton Mail launched – it is possible to automatically forward e-mails from Proton Mail to other accounts, but with caveats. The moment you add a forwarding rule for e-mails to a non-Proton address, it will disable end-to-end encryption for all the emails to and from the forwarding address. It is frankly bizarre how a whole USP goes out the window by enabling a feature that took Proton over nine years to implement and is such a basic feature for every regular business e-mail setup. Proton provides too little technical background information to understand why they would need to completely disable E2EE for that specific address. This lack of info from Proton again provokes a feeling of limitations being artificial, with the sole purpose to lock-in users: As long as you forward your mails to a Proton account, E2EE remains functional – but dare you to forward them to any other service provider!

And just like it took Proton nearly a decade to implement the forwarding feature, it was also only in 2023 that SMTP submissions were finally possible. As mentioned before with things like the calendar and address book, there are still plenty of features one might expect but are nowhere to be found, or are implemented in ways that either make them impractical to use or defy the whole purpose of using Proton Mail to begin with.

Farewell, Proton

There’s no denying Proton Mail played an important role in bringing privacy as a topic into people’s minds. Unfortunately, it did so using what is possibly the single worst medium in terms of privacy – e-mail – making the mainstream user believe that if only they shell out a hundred bucks a year and do the voodoo dance that is connecting their mail client to a bug-riddled Bridge – as well as only using Proton’s official apps on mobile – they are protected from… *glances over to the official threat model document*… “the government to have access to all of their emails at any time”.

Regardless of the privacy nonsense, however, over time, the service has shown more and more cracks – not just in its technology, but in its ethics and business practices. Between the unreliable Bridge experience, the lack of business features, the misleading claims around data logging and other controversies, and what feels like artificial limitations and intentional retention tactics, I’ve come to believe that Proton Mail is not the community-driven, principled, and privacy-protecting company it claims to be.
In fact, with the recent behavior of Proton’s very own CEO, who seemingly feels like diving into unasked-for political commentary and thereby shows a lack of integrity and professionalism, I’m starting to doubt more than only Proton’s proclaimed mission statement of a better internet […] with privacy and freedom.

If you’re a personal user sending occasional messages, Proton Mail may still serve your needs. Remember, though, that they won’t protect you from anything and that the “zero-access” “privacy” mumbo-jumbo is nothing but snake oil when probably most e-mails that you send and receive are being handed over to the other person’s mail server in plain text, for everyone (including Proton) to read and potentially store. Let alone the metadata.

If you care about the privacy of your e-mail content, use GPG – something you can do with any e-mail service. If you are afraid of the provider being hacked, don’t leave your e-mails on the server and – again – use GPG. If you don’t want your real data to be associated with a custom domain or an e-mail address, sign up for a service that doesn’t require you to submit any data, and is either free or can be paid for using untraceable payment methods like cash or Monero. If you have Amazon sending you order confirmations with your full name and address to that account, remember that you haven’t actually solved anything by having registered an anonymous e-mail account. And If you really care about having a steel fortress in terms of privacy, Switzerland is one of the worst possible jurisdictions to go for and you’d much rather want to look for an island state that lacks public company registries and has a legal system that makes it hard/costly for an e-mail service provider to be pressured or held accountable. If you don’t want the service provider to sell data about the content of your e-mails, or your usage behavior, sign up for a service that appears small and credible enough to not do these things and – one more time – use GPG. And if you are technologically knowledgeable and you might not need 100% deliverability you might as well host your own e-mail server. After all, e-mail is federated.

However, for businesses or professionals expecting robust, accountable, and mature infrastructure that is similar to what they’re used to from Google Workspace or Microsoft Outlook, I would strongly advise looking elsewhere. Proton does not have what it needs, as it still lacks some of the most basic business features, and the further your business grows the more noticeable the pain points are going to be. Proton’s primary focus lies on its “privacy architecture”, which complicates the implementation of otherwise simple features like e-mail forwarding and SMTP submissions. Expect normal business features to take a long time to become available in Proton.

I’m not suggesting sticking with Google, Microsoft, or any other Big Tech platform, but instead looking into more honest options that might not have all the bells and whistles, but at least stick to what they promise. A non-exhaustive list of possible options can be found on the infrastructure page, but do your own research.

We need more privacy-respecting tools, but we also need those tools to be open, honest, reasonable, and respectful of users’ control and freedom. At least for me, Proton Mail does not meet that bar.