Encrypted email is everywhere — yet true E2EE is still rare. Here’s the global reality of “secure email” and where Proton Mail fits.
Email is still the world’s default communication rail
Email hasn’t been replaced — it’s been weaponized, regulated, and monetized.
In 2024, the world sent and received ~361.6 billion emails per day, with forecasts climbing past ~424.2 billion per day by 2028. That sheer volume makes the inbox a permanent target for criminals, intelligence collection, and corporate profiling.
So when people say “encrypted email is rising,” they’re reacting to something real — but often describing the wrong kind of encryption.
“Encrypted email” means two very different things
Most people think encryption means: only sender + recipient can read it.
Most email encryption in the real world means: no one can easily read it while it travels between servers.
The two layers of email encryption
| What people want | What most providers deliver | What it protects |
|---|---|---|
| End-to-end encryption (E2EE) | Still uncommon in everyday email | Message content from providers, network observers, many third parties |
| Transport encryption (TLS/STARTTLS) | Now widely used | Message content in transit between mail servers |
Google’s long-running email security reporting shows inbound/outbound email for Gmail is now encrypted in transit at very high rates (commonly high-90s%+ in recent snapshots).
That’s a win — but it doesn’t solve the core privacy problem: your email provider can still read your mailbox content in many mainstream setups, and metadata still leaks by design.
Why true encrypted email stayed niche for decades
If E2EE is so powerful, why didn’t it “win” years ago?
Because email was built for interoperability, not secrecy — and E2EE historically demanded painful user behavior: key generation, key sharing, key verification, key rotation, and cleanup when things go wrong.
A large longitudinal study of email encryption usage found adoption remained extremely low in practice — even in a highly educated environment — highlighting how usability and key management issues drag adoption down.
Translation: the world didn’t reject encryption because it’s unnecessary. It rejected it because it was too hard.
This is the gap Proton Mail stepped into.
Proton Mail’s role: making E2EE usable enough to matter
Proton Mail (often written as ProtonMail) launched in 2014 and built its brand around a simple promise: privacy-first email without the usual encryption friction.
Proton now reports 100+ million Proton Accounts across its products — not all paid users, but still a meaningful signal of global demand.
Where Proton changed the market isn’t “inventing encrypted email.” It’s making encrypted email feel normal.
What Proton made mainstream (for normal users)
1) “Zero-access” encrypted storage (provider can’t casually read your mailbox)
Proton describes mailbox storage as “zero-access encryption,” meaning the service claims it can’t read stored message content in your mailbox.
“Gmail likely retains a copy of that message…”
(That’s the key detail most marketing pages skip: email privacy depends on both ends.)
2) E2EE defaults when both sides are on Proton
Proton-to-Proton messages can be end-to-end encrypted in a way that’s largely invisible to the user (no manual key drama for the average case).
3) Password-protected messages for non-Proton recipients
To reach people outside Proton, Proton supports “secure messages” via password protection (useful, but not identical to interoperable E2EE email).
4) Bridge: compatibility with traditional email apps without handing keys to the cloud
A big adoption blocker is client support. Proton Mail Bridge runs on your device and encrypts/decrypts locally, enabling IMAP/SMTP clients (like desktop mail apps) to work without turning Proton into a plaintext provider.
5) Trust plumbing: open source + audits + key transparency direction
Proton positions open source and third-party auditing as part of its trust model.
It also highlights independent security audits around major components (for example OpenPGP.js work audited by Cure53).
And Proton’s Key Transparency work aims to reduce “silent key substitution” risk — a subtle but real problem in large encrypted ecosystems.
Bottom line: Proton’s contribution is less about crypto novelty and more about productizing trust.
The uncomfortable truth: encrypted email still leaks a lot
To be credible, any privacy write-up has to say this clearly:
1) Email metadata is not fully protected
Even with Proton, some elements are encrypted but not end-to-end encrypted — and standard email headers are inherently hard to hide while keeping email routable and compatible.
Proton explicitly notes that subject lines (and sender/recipient addresses) are not end-to-end encrypted, largely for standards and interoperability reasons.
2) Encryption doesn’t stop phishing
Encryption protects confidentiality. Phishing is social engineering + authentication failures.
A secure email provider can reduce risk with UI cues, link warnings, and better account security — but E2EE alone doesn’t “solve phishing.” (Treat claims like that as marketing, not security engineering.)
3) Your threat model matters more than your provider
Encrypted email helps most when:
- you want to reduce provider visibility into content,
- you handle sensitive attachments,
- you need safer cross-border communication,
- you want to minimize data harvesting incentives.
It helps less when:
- the recipient is on a provider that keeps plaintext copies,
- the risk is device compromise (malware),
- the main problem is impersonation/phishing.
Switzerland, lawful access, and the “Proton can’t see it” debate
Proton benefits from operating under Swiss law — but “Swiss” is not a synonym for “untouchable.”
A Swiss court ruling in 2021 affirmed that email services aren’t telecom providers under certain Swiss surveillance obligations, affecting how retention requirements apply.
But Proton still responds to legal process. Proton’s own transparency reporting lists legal orders received, contested, and complied with each year (for example, 2025: 9,301 orders; 988 contested; 8,313 complied with).
And Proton has faced public scrutiny in cases where lawful orders forced specific actions — including a widely reported incident involving IP logging tied to a legal order.
A realistic way to read this
- Encryption can protect message content even when a company must comply with law.
- But companies can still be compelled to provide what they do have (metadata, account info, payment records, or targeted logging under certain conditions).
So Proton is best understood as privacy risk reduction, not an invisibility cloak.
Why encrypted email is rising now (globally)
The rise isn’t one country. It’s a convergence:
- Data protection laws are expanding worldwide, pushing organizations to reduce exposure by design.
- Remote work normalized sending sensitive material through personal inboxes.
- Users are increasingly hostile to ad-driven “surveillance capitalism” business models.
- Market analysts forecast rapid growth in email encryption products and services (one estimate: from about $9.3B in 2025 to ~$23.33B by 2030, ~20% CAGR).
Meanwhile, privacy debates keep evolving — including in Switzerland, where civil society groups have publicly challenged proposals that could expand data retention obligations.
Who encrypted email is actually for
Best fit
- Journalists & researchers: protect sources, drafts, attachments, and investigative communications.
- Activists & NGOs: reduce content exposure under surveillance pressure.
- Businesses handling sensitive data: minimize breach impact, support compliance posture, reduce internal risk.
- Everyday users who want less profiling: shrink the data surface area that “free email” business models depend on.
Not a magic solution for
- People who need strong anonymity (you may need additional tools, plus operational discipline).
- High-risk targets on compromised devices (endpoint security matters more than mailbox crypto).
- Anyone expecting email to hide relationship graphs (metadata).
Practical: how to use Proton Mail securely (without overthinking it)
If you want the biggest privacy gain with the least pain:
- Use Proton Mail for your primary inbox, and keep sensitive threads there.
- For truly sensitive conversations, prefer Proton-to-Proton when possible.
- For external recipients, use password-protected messages when the content matters.
- Use Proton Mail Bridge if you rely on desktop mail clients (keeps encryption local).
- Treat subject lines like postcards: don’t put secrets in them.
- Turn on strong account protections (unique password + 2FA). Encryption doesn’t help if the account is taken over.
Quick FAQ
Is Gmail “encrypted”?
In transit, often yes (TLS is widely used). But that’s not the same as end-to-end encryption where the provider can’t read your stored content.
Does Proton Mail encrypt everything end-to-end?
Not everything. Proton states message content is protected with strong encryption, but subject lines and some addressing metadata are not end-to-end encrypted for standards/interoperability reasons.
Can Proton Mail be forced to hand over my emails?
Proton says it uses zero-access encryption for stored mailbox content, but it can still comply with lawful orders for data it does have, and it publishes order counts in its transparency report.
Is encrypted email “the future,” or is it still niche?
Transport encryption is already normal. True E2EE email adoption has historically been low due to usability/key management — which is exactly why products like Proton exist.
The takeaway
Encrypted email didn’t suddenly appear — but the reason people care has changed.
We now live in a world where the default email model (“free inbox in exchange for data access”) is colliding with global regulation, rising breach costs, and public rejection of constant surveillance. Proton Mail’s role is to offer a credible alternative: make strong encryption practical, routine, and understandable — while being honest about what email can’t hide.
If your inbox contains anything you’d regret seeing in a breach, a lawsuit, a dragnet, or a data broker’s profile, encrypted email isn’t paranoia — it’s basic risk management.