Do you know/think/feel that your emails end up in other's people's spam a lot?

I only have anecdotal evidence, but it seems that since I started using Protonmail, if I send an "unsolicited" email (i.e. I'm initiating the contact), I hear that my emails seem to end up in the spam folder more often than not. I've tried using the different host address (*@protonmail.ch, *@pm.me, etc.) and they don't seem to make any difference.

Anyone else seeing this?

Do you know/think/feel that your emails end up in other's people's spam a lot?

I only have anecdotal evidence, but it seems that since I started using Protonmail, if I send an "unsolicited" email (i.e. I'm initiating the contact), I hear that my emails seem to end up in the spam folder more often than not. I've tried using the different host address (*@protonmail.ch, *@pm.me, etc.) and they don't seem to make any difference.

Anyone else seeing this?

I haven't had this issue. I'm not generally sending a ton a personal emails, but I haven't had any issues.

I have yet to run into that issue.

There are a LOT of other factors in an email that can affect deliverability (https://knowledgebase.constantcontact.com/articles/KnowledgeBase/5649-common-phrases-that-trigger-spam-filters?lang=en_US) like that. Stuff like use of certain words or punctuation in certain ways can do it. Same goes for pictures and certain types of links.

One thing worth considering with them is a paid account plus using a custom email domain (https://protonmail.com/support/knowledge-base/custom-domain-support/). Buy a web domain for usually ~$8-20/yr (Namecheap (https://www.namecheap.com/) is a good option), and then you can connect it with ProtonMail to create your own branded email. The "Plus" plan is $48/yr, which allows this. Why might you want to do this? Being that it's a separate domain from the standard protonmail.whatever domains, it's a clean slate to send from. Also, for anyone that has even a small business, looks much more professional.

Additionally, on their "Professional" plan ($75/yr), it gives you the capability for a catch-all email (https://protonmail.com/support/knowledge-base/catch-all/). What this enables you to do is effectively create unlimited "fake" emails for various purposes that can have the side benefit of increasing security. For example, creating a separate "fake" email for EVERY single online account you create. These wouldn't be separate emails with inboxes, and would instead reroute to your catch-all account. For example, these would be valid emails:



example@mydomain.com
example+1@mydomain.com
example+2@mydomain.com
example+3@mydomain.com
example+4@mydomain.com


Imagine the first is your catch-all. Each account you create could have a fake email like the numbered examples (many other valid ways to write those, so doesn't have to be that format). Any email sent to them (like forum notifications, for example) would route to the catch-all account. Now, if anyone tries to hack any of your accounts, if every single one is a different email and password, you have defense in depth.

Just a few random things hopefully people find useful. ;)

Without boring everyone with details, the company I manage fraud prevention for starting seeing so many users with Protonmail who had fake or stolen identities that we had to quit allowing registrations from Proton addresses. I believe that was 2019 or early 2020. Proton's anti-abuse team contacted us asking for a list of their emails tied to fraud. I didn't dig into it very far since we blocked it entirely, but a little research at the time gave me the impression that Proton was used for fraud and spam at a much higher than average rate. I wouldn't be surprised at all if good Proton users get flagged as spam because of it. We've also had some issues with mail sent to Proton(confirmed addresses) being returned as undeliverable.

My university blocks email from ProtonMail entirely.

My university blocks email from ProtonMail entirely.

Why do they do that?

Why do they do that?

Because of how frequently it's used for fraud, spam, et cetera, as scjbash mentioned.

Because of how frequently it's used for fraud, spam, et cetera, as scjbash mentioned.
Interesting. But is it?

Thanks, Sig_Fiend, that’s interesting stuff.
If someone got their own domain (as you suggested) and the ProtonMail “Plus plan” would it still be identifiable as coming from ProtonMail? That is, would that be a way around the blocking of emails from ProtonMail as described after your post?
I’m very attracted to the security and privacy of ProtonMail. But if I were to use it, or something like it, I wouldn’t want to have to deal with the suspicion of fraud/spam whenever I used it with a business or other entity.


I have yet to run into that issue.

There are a LOT of other factors in an email that can affect deliverability (https://knowledgebase.constantcontact.com/articles/KnowledgeBase/5649-common-phrases-that-trigger-spam-filters?lang=en_US) like that. Stuff like use of certain words or punctuation in certain ways can do it. Same goes for pictures and certain types of links.

One thing worth considering with them is a paid account plus using a custom email domain (https://protonmail.com/support/knowledge-base/custom-domain-support/). Buy a web domain for usually ~$8-20/yr (Namecheap (https://www.namecheap.com/) is a good option), and then you can connect it with ProtonMail to create your own branded email. The "Plus" plan is $48/yr, which allows this. Why might you want to do this? Being that it's a separate domain from the standard protonmail.whatever domains, it's a clean slate to send from. Also, for anyone that has even a small business, looks much more professional.

Additionally, on their "Professional" plan ($75/yr), it gives you the capability for a catch-all email (https://protonmail.com/support/knowledge-base/catch-all/). What this enables you to do is effectively create unlimited "fake" emails for various purposes that can have the side benefit of increasing security. For example, creating a separate "fake" email for EVERY single online account you create. These wouldn't be separate emails with inboxes, and would instead reroute to your catch-all account. For example, these would be valid emails:



example@mydomain.com
example+1@mydomain.com
example+2@mydomain.com
example+3@mydomain.com
example+4@mydomain.com


Imagine the first is your catch-all. Each account you create could have a fake email like the numbered examples (many other valid ways to write those, so doesn't have to be that format). Any email sent to them (like forum notifications, for example) would route to the catch-all account. Now, if anyone tries to hack any of your accounts, if every single one is a different email and password, you have defense in depth.

Just a few random things hopefully people find useful. ;)

I've had a Proton account for years and I think I've used it maybe twice. One of those accounts I keep just in case I decide to use it someday.

Thanks, Sig_Fiend, that’s interesting stuff.
If someone got their own domain (as you suggested) and the ProtonMail “Plus plan” would it still be identifiable as coming from ProtonMail? That is, would that be a way around the blocking of emails from ProtonMail as described after your post?
I’m very attracted to the security and privacy of ProtonMail. But if I were to use it, or something like it, I wouldn’t want to have to deal with the suspicion of fraud/spam whenever I used it with a business or other entity.

While I'm not a fan of the company I use Gmail for my personally owned business. So does the company I work for and seemingly everyone we work with. It can do the things Sig mentioned about Proton plus it's very convenient having mail, calendar, and Meet easily tied together.

If someone got their own domain (as you suggested) and the ProtonMail “Plus plan” would it still be identifiable as coming from ProtonMail? That is, would that be a way around the blocking of emails from ProtonMail as described after your post?

It depends on how the recipient is filtering e-mails. If they're just blocking the domain (e.g., any message with an @protonmail.com address is simply dropped), then yes, a custom domain would circumvent that filter. Other filters try to use things like "reputation score" for domains to determine if they think the originator is potentially risky, and that can result in e-mails getting blocked or sent to the spam folder (take a look at 'emailrep.io' for an example of what I'm talking about, although please be aware that I've only used that site in passing and any "free" OSINT resource should be approached with caution).

Thanks, Sig_Fiend, that’s interesting stuff.
If someone got their own domain (as you suggested) and the ProtonMail “Plus plan” would it still be identifiable as coming from ProtonMail? That is, would that be a way around the blocking of emails from ProtonMail as described after your post?


Disclaimer: not current on today's spam wars. I gladly defer to those who are.

I think so, for example, if I own the domain whomever.net, but use some vendor to run imap for me (let's say mailvendor.com), if you look at the ail source you will see stuff like:

Received: from relay4-d.mail.mailvendor.com
From: John Doe <whomever@whomever.net>

Your email program just lists the 'From:', but if you hunt around for something like 'View Message Source' you can see all the gobbledygook; generally speaking, every machine that touches the mail leaves a mark.

So I think the email will contain the info that protonmail was involved. What the sender does with that ... depends. In the days when I worked with our spam-blocker people, the criteria they used were constantly in flux. Whatever worked today was the name of the game.

Thanks, Sig_Fiend, that’s interesting stuff.
If someone got their own domain (as you suggested) and the ProtonMail “Plus plan” would it still be identifiable as coming from ProtonMail? That is, would that be a way around the blocking of emails from ProtonMail as described after your post?
I’m very attracted to the security and privacy of ProtonMail. But if I were to use it, or something like it, I wouldn’t want to have to deal with the suspicion of fraud/spam whenever I used it with a business or other entity.

Yes, it will still show ProtonMail in some of the metadata, however this isn't an issue. With going the custom domain route, you can also setup additional email security protocols (DKIM, SPF, and DMARC (https://www.sendinblue.com/blog/understanding-spf-dkim-dmarc/)) which help establish the validity and trustworthiness of a domain.

I'm not saying everyone should do this, as it's probably more of a hassle than most want to deal with. However, if you happen to have a few minutes on a Saturday afternoon and under $100 per year, it's a nice way to add several layers of security to your email capabilities. Here's an example I sent from a custom domain in ProtonMail to a Gmail address:

Take note of the "from", "reply-to", "mailed-by", and "signed-by" fields. These all reference the custom domain, and not a ProtonMail domain.

82539


You can see here that SPF, DKIM, and DMARC all passed since I have them setup correctly for this particular custom domain.

82540


Here you can see that, yes, ProtonMail does still show up in the metadata. This should not be a problem, however, as passed SPF, DKIM, and DMARC sends strong signals to email providers that the email is legit.

82541


As scjbash mentioned, Gmail can do many of the same things, though the custom domain stuff requires a G Suite paid account. However, Google is not trustworthy. Sure, they're "fine" 99.999% of the time for most users' purposes. Keep this in mind though. They scan users' email content (https://www.theverge.com/2016/12/14/13958884/google-email-scanning-lawsuit-ecpa-cipa-matera), which is one of the ways they're able to offer personalized advertising in Gmail. In other words, they know the content of your emails. Considering the ideological and sometimes radical nature of that company and many of its employees... Follow that thought experiment down the rabbit hole and you'll begin to understand why I recommend strongly against them.

Taking this a step further, here's an example due to "CP" (https://arstechnica.com/tech-policy/2014/08/gmail-spots-child-porn-resulting-in-arrest/). Of course, something reprehensible, but replace the subject matter with something else. Imagine user 1 lives in California and sends an email to user 2. Imagine they mention the words "15 round magazine". Now, imagine Google's scans catch this and immediately report it to the California DOJ or whatever. Regardless of the context, your 4A rights are now dead and you are guilty until proven innocent. I'm just making that example up but, it's not unrealistic to think that it could happen at the rate things are going with corpo-fascism and government collusion with such companies. It's a privatized tyranny of convenience.

I just have a hard time believing that Protonmail is more of a fraud vector than Gmail, Yahoo, Hotmail, etc.

If I were prone to believe conspiracies, I'd say that the other email providers were trying to bury Protonmail.

The anonymity (real or perceived) would definitely attract fraud. If they got rid of their free option, they could get rid of a lot of it.

The scanning of my email is why I switched to using Protonmail. I use signal as my messaging app as well. I wish proton mail would come out with a secure messaging system.

The anonymity (real or perceived) would definitely attract fraud. If they got rid of their free option, they could get rid of a lot of it.

Wouldn't the same logic apply to all free email accounts? And yet they don't seem to be squashed as hard as ProtonMail.

I just have a hard time believing that Protonmail is more of a fraud vector than Gmail, Yahoo, Hotmail, etc.

If I were prone to believe conspiracies, I'd say that the other email providers were trying to bury Protonmail.

In my professional experience dealing with fraud for the last 12 years Proton has definitely been abused at a higher rate. That's just my experience in one industry, but I've overseen hundreds of millions of leads so I'm not basing that on a small amount of data.

IME fraudulent use is not equal across the major providers. For example we see Outlook being abused at a higher rate than the others, and surprisingly see very little fraud from Yahoo.

...and surprisingly see very little fraud from Yahoo.

Because everyone and their brother has already breached them?

Because everyone and their brother has already breached them?

The odd thing is that a lot of fraud is committed with brand new addresses created just for commiting fraud. It's so easy to create a Yahoo address you'd think we'd see a lot of fraud on them. Yahoo may be preventing/deleting address detected to be made in bulk by one person.

Protonmail has a greater level of anonymity than the other free providers, hence the fraud magnet. Also, located in Switzerland and not officially a part of the "14 Eyes" data sharing alliance.

Anyone paying attention knows that US big tech has backdoor data sharing agreements with the U.S. government. One reason I believe you aren't likely to see anti-monopoly moves against them unless you get someone like Trump who doesn't care.