Proton Mail

Proton Mail is the most polished privacy-respecting email provider for users who want end-to-end-encrypted email without self-hosting — operated by the Proton Foundation (a Swiss non-profit) and the largest pure-privacy mailbox provider by user base. Listed at Grade A · editor's pick because it remains the realistic default for non-technical users who need encrypted email today, while being honest about the metadata-vs-content asymmetry that defines its actual threat model.

Background. Founded in 2014 by Andy Yen and a team out of CERN; rebranded from ProtonMail to the broader Proton ecosystem (Mail, VPN, Drive, Calendar, Pass, Authenticator, Docs, Sheets, Meet, plus Lumo AI and Simple Login). The company restructured under the Proton Foundation non-profit model — a Swiss-domiciled entity that controls Proton AG, with a stated mandate to keep the company aligned with the privacy mission rather than venture-capital exit timing. Source code for the clients is open on GitHub. Free tier; paid Mail plans from ~€4/month accept BTC + bank transfer + card. Tor onion mirror operator-published: protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion.

What you trust. End-to-end encryption is applied to content — emails between two Proton users, encrypted attachments, encrypted calendar events, encrypted drive files — using PGP-compatible primitives that Proton cannot decrypt at rest. Metadata is a different surface: sender, recipient, subject line (depending on flow), IP at signup (historically — see below), recovery email, and login timestamps are all observable to Proton infrastructure and, under valid Swiss legal process, can be compelled. Their published 2025 transparency report shows 9,301 legal orders received, 988 contested, 8,313 complied with — meaning the "Proton complies with Swiss law" path is real and frequently exercised. For VPN, the same report shows 59 orders received, 59 denied — because there are no logs to surrender. 2021 climate-activist case: a French climate activist's IP and recovery email were handed to Swiss authorities under a Europol→Swiss-court request; this remains the canonical reference for "Proton complies when legally compelled." Subsequent product changes reduced default IP logging on signup, but the underlying legal exposure persists.

Operational specs. Free tier: 1 GB mail storage, ~150 messages/day, one address. Paid plans start at ~€4/month (Mail Plus) and scale up through Unlimited (~€10/month, includes VPN/Drive/Pass). Encryption: PGP under the hood, with key management handled in-browser/client. Custom domains on paid plans. Address aliasing via Simple Login (separate but Proton-owned). Calendar + Drive + Pass + Authenticator round out the ecosystem with similar E2EE posture. Bridge utility connects Proton Mail to desktop clients (Thunderbird, Apple Mail, Outlook) for users who don't want to use the web UI. Two-factor auth required for paid plans, optional for free.

Philosophy. Proton's editorial differentiator is regulated privacy under named jurisdiction — Switzerland — rather than the "no jurisdiction" stance of fully-anonymous mail providers operating in different (or no) jurisdictions. The bet is that Swiss legal protections + a non-profit foundation structure produce a more durable privacy posture than offshore anonymous-hosting. The trade-off: Switzerland *does* respond to valid local court orders, and Proton complies when legally required. For users threat-modeling against Swiss authorities or organisations capable of operating MLAT to Switzerland, that exposure is real. For everyday "I don't want Google reading my mail" users, the model is sufficient and the convenience is unmatched.

Grade rationale. Grade A and editor's pick reflect: clear E2EE on message content; published transparency report with concrete numbers (rare among email providers); non-profit Foundation governance structure; Swiss jurisdiction with documented legal pushback (988 contested orders in 2025 alone, plus recent legal-resistance actions); Tor onion mirror; PGP interop; open-source clients; absence of any content-decryption claim or capability; free tier with realistic everyday utility. Last verified 2026-05-11.

Useful when. You need encrypted email and don't want to self-host. You want PGP-style E2EE without managing keys manually. You want a privacy-respecting ecosystem (Mail + VPN + Drive + Calendar + Pass) under one billing umbrella. You're a journalist, lawyer, or healthcare professional whose threat model is "untrusted big-tech reading content" rather than "state-level adversary." You want a free, anonymous-signup mailbox you can use for ongoing accounts (without phone verification on most signup paths).

Caveats. Metadata is observable to Proton and compellable — sender, recipient, subject, login IPs, recovery email. End-to-end encryption protects content, not headers. If your threat model is "do not let Swiss courts learn that I have a Proton account at all," Proton is not the answer; consider a fully-anonymous provider with a different jurisdiction. Compliance rate: ~90% of valid Swiss legal orders are honored — Proton is not a privacy fortress, it's a *jurisdictionally-bounded* privacy provider. Signup friction: Proton has tightened anti-abuse for free-tier signups; if you sign up from a Tor exit or VPN IP, you may be asked for SMS or alternate email verification, which broadens the KYC surface back toward `light_kyc`. For non-Proton recipients, end-to-end is only on if you set up PGP exchange or use Proton's "encrypted to outside" password-protected link feature; otherwise email leaves Proton's TLS-encrypted boundary and arrives at the recipient's mailbox in cleartext. VPN model is stronger than Mail for metadata-sensitive use — Proton VPN's no-log policy survives Swiss legal process in a way Mail's metadata cannot. Lumo AI: Proton's writing-assistant AI feature (2025-2026) is opt-in and, per Proton's stated policy, does not train on mailbox content — but if your threat model excludes any AI processing of content, check Proton's current AI data-handling docs before enabling it.