Proton Mail in your existing email app, on every device. No Bridge required.

Proton Mail is the service. Epistles is a client that respects how Proton works.

Proton Mail is one of the most carefully designed email services in the world. End-to-end OpenPGP for mail between Proton users, encrypted-at-rest storage on servers in Switzerland, a zero-knowledge model where Proton itself cannot read your inbox even if compelled to. Their iOS, Android, web, and recent desktop apps all sit on top of that foundation, and the whole stack is open source. None of that needs improvement.

What we built is a different thing. Epistles is a client. We do not run mail servers, we do not host your mailbox, we do not replace Proton. We are the reading and composing surface, and we wanted to make Proton work in that surface the way Gmail and Fastmail and Microsoft 365 already do, on every device a person actually uses, without a separate piece of software running on the side.

Where our ambition starts and stops is important to state plainly. We preserve Proton’s encryption guarantees. We do the OpenPGP work in the client, not on a server. Your mailbox passphrase never leaves your device. If Epistles disappears tomorrow, your Proton account is untouched and your data is still in Proton’s hands, exactly where it was.

How third-party Proton support has worked until now

Proton’s mail is encrypted with keys only you can decrypt, which means a third-party email client cannot just speak IMAP to imap.proton.me and get readable mail back. Proton solved this for desktop users with Proton Bridge: a separate application that runs on your computer, logs into your Proton account, performs the OpenPGP decryption locally, and exposes a small IMAP and SMTP server on localhost. Apple Mail, Outlook, and Thunderbird then point at that local address and behave as though they are talking to a normal mail server.

Bridge is a thoughtful piece of engineering. It is also constrained by what it is. It runs on macOS, Windows, and Linux only, never on iOS or Android. It requires a paid Proton plan, the free tier cannot use it. It must be installed, configured, kept running, and updated separately from your email client. If Bridge stops, mail stops. If you have a Mac and a phone, Bridge gives you Proton on the Mac and the official Proton app on the phone, which is two different clients with two different keyboard maps and two different settings panels, on top of whatever else you use for Gmail or Microsoft 365.

A community alternative, Hydroxide, takes the same approach: an open-source local IMAP/SMTP daemon that translates to Proton’s API. It is excellent for what it is, and it is still a separate process you run on the side. There has been no third-party Proton client on iOS or Android, ever, because there is no way to run a local bridge on a phone.

We are not knocking the Bridge model. Keeping the Proton ecosystem closed has protected users from clients that would mishandle keys, store the passphrase in the wrong place, or leak metadata to analytics SDKs. The bar for direct integration is high on purpose. We accept that bar. We just decided to clear it.

How Epistles supports Proton Mail directly

Epistles speaks to Proton’s own API, the same API the official Proton apps and Proton Bridge use internally. Authentication is SRP, Proton’s Secure Remote Password protocol, which means your password is never sent to anyone, not Proton, not us. The session is established by a zero-knowledge proof. Two-factor and FIDO2 keys are supported the same way the official Proton client supports them.

Once authenticated, Epistles downloads your encrypted mail and your encrypted OpenPGP keys, decrypts the keys in memory using your mailbox passphrase, and then decrypts each message locally as you open it. The OpenPGP work runs on your CPU, in your Epistles client, not on any server. Proton sees what Proton would see if you used their official app. Epistles sees what Proton sees, encrypted ciphertext it cannot read until your passphrase decrypts the keys on your device.

The mailbox passphrase and the decrypted OpenPGP keys live in your operating system’s keychain (macOS Keychain, Linux Secret Service, iOS Keychain, Android Keystore). They never travel through Epistles’ Cloud Vault. They are never written to our servers, never synced between your devices through our infrastructure, never stored anywhere except on the device that asked for them. This is an honest deviation from how we handle Gmail, Fastmail, and Microsoft 365, where credentials sync through a zero-knowledge vault so adding an account on a new device is a one-click restore. For Proton, you add the account once per device. That is the price of preserving Proton’s zero-knowledge promise on top of ours, and we think it is the right price.

One thing to be straight about. Proton has not published their API as a public contract for third-party clients to build against. Proton Bridge is the sanctioned path. Hydroxide and a handful of community libraries have reverse-engineered the same API for years, and the Proton Bridge source is open, which is how we and anyone else can implement against it correctly. This puts Epistles in a careful gray zone: we are not officially blessed by Proton, we are not violating their terms of service, and we have built the integration to fail safely if they change anything underneath us. If Proton ever asks us to stop, we will stop.

Why this matters

The practical effect is the part that has been missing. If you have a Proton account and an iPhone, until now the only way to read that mail on your phone was Proton’s own app. Same on Android. Same on a Linux laptop where you did not want to install and babysit Bridge. Same on a Mac where you wanted Proton sitting next to your Gmail and Fastmail accounts in a single window with a single keyboard map.

Epistles puts Proton in that single window, on every platform we ship. The From picker in the composer offers your Proton address alongside your Gmail and Fastmail addresses. Cross-account moves work the way they do everywhere else in Epistles: drag a thread from your Microsoft 365 inbox to a Proton folder and it moves. The unified surface that has always been the point of Epistles now includes the one provider that, until today, never could be unified into anything.

What you give up by using Epistles for Proton instead of Proton’s own app

The honest list, verified against the current Proton apps:

• Proton Calendar deep integration. The Proton apps surface your Proton Calendar inline with mail, with end-to-end encrypted invitations between Proton users. Epistles supports CalDAV against Proton Calendar via Bridge, but not the direct in-client calendar surface yet. On the roadmap.
• Proton Drive attachments. The Proton apps let you attach a file from Proton Drive without leaving the composer. Epistles handles regular attachments only.
• Proton Pass autofill, Proton VPN status, the suite chrome. If you use the full Proton ecosystem, the official apps stitch it together. Epistles is a mail client, not a suite.
• Server-side Sieve filter editing. Filters you create in Proton’s web app continue to run server-side and apply to your Epistles inbox. Editing them inline from Epistles is not built yet.
• Address verification UI. The Proton apps show a small green padlock when a recipient’s OpenPGP key has been pinned. Epistles will surface the same state, the UI is in design.

Where Proton’s own clients still win

Proton’s web app is feature-complete and the canonical place to manage account-level settings, custom domains, and bridge credentials. Their iOS and Android apps integrate directly with Proton Calendar, Drive, Pass, and VPN. If your daily life sits inside the Proton suite, the official client is and will remain the most coherent way to use it. Epistles is for the case where Proton is one of several inboxes, not the whole inbox.

Privacy: same model, doubled

Proton’s zero-knowledge promise is the foundation of why people choose them: Proton’s servers cannot read your mail. Epistles makes the same promise about account credentials in our Cloud Vault: our servers cannot read your tokens. For Proton accounts specifically, we go one further. The Cloud Vault is explicitly carved out. Proton mailbox passphrases and OpenPGP keys never enter our infrastructure at all, not as ciphertext, not as opaque bytes, not in any form. They live on the device that needs them and nowhere else.

Two zero-knowledge boundaries stacked on top of each other. Proton cannot read your mail. We cannot read your Proton credentials, because we never receive them. The longer version is on the security page.

If you have been waiting for this

The mailing list of people who have wanted exactly this is long. Proton users on iOS who want one mail app for everything. Proton users on Android in the same boat. Linux users who never wanted to install Bridge. Mac users tired of context-switching between Proton’s app and the rest of their inboxes. Epistles is in early access today on macOS, Linux, iOS, and Android. Fifteen-day trial, no card up front, three accounts on Free afterwards. Request early access, or read the rest of the site.

And to the people at Proton: thank you. You set the bar for what mail privacy should mean. We hope we have built something worthy of it.

See also

Other comparison pages a reader on this one tends to read next.

• Fastmail alternative
• Thunderbird alternative
• Gmail alternative
• All comparisons: the full hub of pages where Epistles is held up next to other email clients.