(Current Text) April 26, 2026
Dear Proton Team,

Currently, Proton Mail under (Filters) "Blocked and Allowed Senders Lists" offers only a whitelist as a positive exception in a system that standardly accepts everything ("Default-Allow"). The "Allow" function serves merely to move important emails back from the Spam folder to the Inbox; it does not prevent the receipt of emails from other domains. The "Block" function serves only to block known, malicious senders.

The fundamental security problem is that for users who need to protect themselves against Zero-Click Exploits (e.g., advanced state trojans like Pegasus or similar spyware), this "Default-Allow" model is fundamentally insufficient and dangerous. An attacker can register thousands of domains or use hacked servers to send malicious emails. A "Block" list can never cover all future, unknown attackers; as soon as a new, malicious domain is created, it is not on the list, and the email is accepted. Furthermore, as long as the Proton server accepts every connection from an unknown domain (even if it is later moved to Spam), there is a critical risk that a Zero-Click Exploit could be executed during the processing phase, such as rendering images, parsing metadata, or analyzing attachments. The malicious code does not even need the user to open it; it can compromise the email client or server infrastructure as soon as the data touches the server. Many users mistakenly believe that an "Allow" list automatically blocks everything else. Technically, this is not the case. The current list is merely a filter ensuring that certain emails do not land in Spam, not a firewall that cuts off access for everyone else.

I therefore demand the introduction of a separate, explicit setting "Allow Only Permitted Senders" that fulfills the following technical requirements. First, the whitelist must offer flexible granularity by supporting both individual email addresses and entire domains. This allows users to define permitted senders with two distinct levels of granularity to balance maximum security with practical usability. Individual email addresses are essential for high-security scenarios where only a specific person is trusted (e.g., john.doe@company.com); this prevents access even if other accounts within the same domain are compromised. Entire domains, on the other hand, serve for the efficient management of trusted organizations or partners (e.g., @trusted-partner.com) and allow all current and future senders from that domain without manual maintenance. The system must evaluate incoming mail against both lists, with a specific address rule taking precedence over a general domain rule if conflicts arise.

Second, server-side rejection at the TCP/SMTP level is required. The server must immediately reject the connection before any data transfer if the sender is not explicitly on the whitelist. This requires validation already during the SMTP handshake, ideally immediately after the EHLO/HELO command or at the latest before the MAIL FROM command. If the sender is not allowed, the server must immediately terminate the TCP connection or return an SMTP error code (e.g., 550 Access Denied or 554 Transaction Failed) before the actual email data transfer (DATA command) begins. No data packets containing potential exploits may be received; the server must not buffer or analyze the email content even temporarily if the sender is not on the list. The connection must be severed at the entrance so that no data packet containing a potential exploit is received by the server infrastructure.

Third, full user control must be guaranteed. Users must be given the opportunity to completely close their digital gate ("Air-Gap" principle for email) without relying on infinite and never-complete blocklists. The responsibility for maintaining the whitelist lies with the user; this is the principle of every high-security system.

Proton advertises worldwide with "maximum protection" and "end-to-end encryption." Yet, without a "Default-Deny" option that supports both address and domain whitelisting, the door remains physically open to unknown attackers. With this function, Proton would be the only commercial email provider enabling users to protect themselves against state surveillance and zero-day attacks through strict perimeter security. For journalists, whistleblowers, and activists, this is not an optional comfort feature, but a matter of survival. The ability to whitelist entire domains simplifies communication with teams, while the option to whitelist single addresses ensures precision against targeted attacks.

Please evaluate this request for technical feasibility and prioritize its integration into the roadmap for security updates. Proton should offer this choice to substantiate its position as the world's safest provider.

Thank you for your work on a safer internet.