Proton Mail keeps your inbox encrypted from itself. A Swiss court order can still pry your IP loose.

How it works

Proton Mail launched publicly in 2014 from a CERN hackathon, and Proton AG now operates the service from Plan-les-Ouates, just south of Geneva. The free tier ships 1 GB of storage and one address; paid tiers add storage, custom domains, and the rest of the Proton suite — VPN, Drive, Calendar, Pass. Mail flows through Proton's servers, where bodies, attachments, and calendar invites are sealed with OpenPGP and zero-access encryption — the keys live behind your account password, not on Proton's side. Inbound mail from non-Proton senders is encrypted at rest after delivery; only headers and routing metadata stay readable to the operator. Clients exist as a web app, native iOS and Android apps, desktop apps for the major OSes, and an IMAP/SMTP Bridge for Thunderbird or Outlook. The cryptography library OpenPGPjs and the apps themselves are open source.

KYC & privacy

Signup asks for a username and password. A recovery email or phone number is offered, never demanded, and the Tor onion mirror accepts new accounts directly. No government ID is ever requested. The boundary is legal, not architectural: Proton AG is a Swiss company, and Switzerland's communications-surveillance law lets investigators serve a court order requiring real-time IP logging on a specific account. In September 2021, Proton complied with one such order in the Bonjour case — the IP of a Paris climate-activist account was handed to French police via Swiss authorities, and the wording "we do not keep any IP logs" was removed from Proton's homepage soon after. Proton's quarterly transparency report shows thousands of orders complied with each year; what cannot be handed over, because it is not stored, is the cleartext of mail bodies.

Strengths and limits

The cryptographic posture is solid. Cure53 has audited the Proton Mail clients and the OpenPGPjs library, and Proton publishes both source and audit reports. Bitcoin is accepted for paid plans (existing accounts only), so the payment trail can be detached from a card. The limits are jurisdictional. Swiss law gives Proton legal exposure that protocol-level services do not erase but do narrow; an account that signs up over Tor, with no recovery contact and a Bitcoin payment, is much harder to ratchet back than a Visa-card free account on a clearnet IP. Support is the soft edge — paid users routinely wait days for a reply — and the anti-abuse system asks for a phone number or alternate email when fresh sign-ups look automated, which catches some Tor traffic.

Verdict

Proton Mail is the strongest off-the-shelf private email provider: open source, audited, with a Tor mirror that actually works for new accounts. It is not anonymous mail — Swiss legal process can and has been used to attach IPs to specific accounts, so threat models that include serious foreign-police interest should treat the inbox as pseudonymous, not invisible. Useful for journalists, professionals leaving Gmail, and anyone who wants encrypted mail without running their own server.