Dear Proton Team,

Currently, Proton Mail under "Blocked and Allowed Senders Lists" offers only a whitelist as a positive exception in a system that standardly accepts everything ("Default-Allow").

• The "Allowed" function serves merely to move important emails back from the Spam folder to the Inbox. It does not prevent the receipt of emails from other domains.

• The "Blocked" function serves to block known, malicious senders.

The Fundamental Security Problem: For users who need to protect themselves against Zero-Click Exploits (e.g., advanced state trojans like Pegasus or similar spyware), this "Default-Allow" model is fundamentally insufficient and dangerous.

1. The Impossibility of a Complete Blocklist: An attacker can register thousands of domains or use hacked servers to send malicious emails. A "Blocked" list can never cover all future, unknown attackers. As soon as a new, malicious domain is created, it is not on the list, and the email is accepted.

2. The Risk of Server-Side Acceptance: As long as the Proton server accepts every connection from an unknown domain (even if it is later moved to Spam), there is a critical risk that a Zero-Click Exploit could be executed during the processing phase (rendering images, parsing metadata, analyzing attachments). The malicious code does not even need the user to open it; it can compromise the email client or server infrastructure as soon as the data touches the server.

3. Misunderstanding of the Current "Allowed" List: Many users mistakenly believe that an "Allowed" list automatically blocks everything else. This is technically not the case. The current list is only a filter ensuring that certain emails do not land in Spam. It is not a firewall that cuts off access for everyone else.

The Demand: A True "Strict Allow-Only Mode" (Default-Deny Policy) I demand the introduction of a separate, explicit setting "Allow Only Permitted Senders" that fulfills the following technical requirements:

• Server-Side Rejection (TCP-Level Blockade): The server must immediately reject every connection from a domain/sender that is not explicitly on the whitelist (e.g., with 550 Access Denied) before the email data is even transmitted.

• No Data Acceptance: The connection must be severed at the entrance. No data packets containing a potential exploit may be received.

• Full User Control: Users must be given the opportunity to completely close their digital gate ("Air-Gap" principle for email) without relying on infinite and never-complete blocklists.

Why Proton Urgently Needs This: Proton advertises worldwide with "maximum protection" and "end-to-end encryption." Yet, without a "Default-Deny" option, the door remains physically open to unknown attackers.

• Competitive Advantage: With this function, Proton would be the only commercial email provider enabling users to protect themselves against state surveillance and zero-day attacks through strict perimeter security.

• Existential Necessity: For journalists, whistleblowers, and activists, this is not an optional comfort feature, but a matter of survival.

Next Steps: Please evaluate this request for technical feasibility and prioritize its integration into the roadmap for security updates. The responsibility for maintaining the whitelist lies with the user this is the principle of every high-security system. Proton should offer this choice to substantiate its position as the world's safest provider.

Thank you for your work on a safer internet.