Circumvent Proton Mail third-parties integration limitations with Cloudflare

One of the biggest Proton limitations is around connecting it to third-party products. Here is how to solve it.

Circumvent Proton Mail third-parties integration limitations with Cloudflare
Photo by Alina Grubnyak / Unsplash

Disclaimer, the instructions below defeat the primary reasons why someone would use Proton (EE2E, Zero-Knowledge, and other features) yet allow you to work around some of Proton's limitations. Before proceeding, make sure about this risk and use another third-party server, service, or product that you trust.

Explanation and Disclaimer

One of the biggest Proton limitations is around connecting it to third-party products, and depending on your industry this is inherently necessary.

The below tutorial describes how to use Proton alone with a third-party email service to allow other products to connect to your email and facilitate some specific features to work, some of those features can be:

  • Automation of Support Ticket Creation
  • Automation of workflow management depending on the email subject, recipient, sender, and/or other
  • Use of a more feature-rich product to current Proton products, such as Calendar invite handling, cloud storage, and others

Again, you should proceed with caution and assume the risk that you're trusting another third party to see, send, and forward your email to another service or product.

Instructions

The instructions below are linked to Proton, Cloudflare or any other provider documentation. I'm assuming you have a proficient level of understanding of the terminology and procedures used below. If there are doubts, please reach out to me via Twitter, I will do my best to clarify but please don't assume I will do step-by-step guide or troubleshooting on this for you.

Before we start, there are some prerequisites that we need to have before starting with this implementation, those are:

  1. A Cloudflare account
  2. Set Cloudflare as your DNS Nameserver; in case Cloudflare is not your current domain name registrar, you must follow your current Domain's Registrar's instructions on how to set this up
  3. Enable Email Service for your primary domain
  4. Enable Email Worker (beta) for your primary domain
  5. Add Custom Domains to Proton. You will need at least two domains for this to work. One will be your primary, the one you intend to use for people to send/receive emails from you and your third-party tools, and another one will be used for Cloudflare to forward that email to your Proton account.
  6. A Proton Business account

All the prerequisites above are linked to Cloudflare Documentation, so if you have any doubts on how to do anything, please go through each of the links. Anyhow, here is what we need to make this work:

Create an Email Worker

Within the Email Service Panel in Cloudflare, let's create a new Email Worker “blank” and use the code below as our starting template.

export default {
  async email(message, env, ctx) {
    const addresses = [
      "[email protected]", // 1- proton secondary domain, prerequisite 5
      "[email protected]", // 2- your first third-party service
      "[email protected]" // 3- your second third-party service
    ];
    for (let address of addresses) {
      await message.forward(address);
    }
  }
};

There are a few important aspects to have in mind for the Email Worker to work:

  • All the emails where we are going to forward the emails to need to be verified
  • A secondary domain should have already been added to your Proton Business account
  • The order of emails in the script does not affect the result, but I chose this order to provide some clarity and order for myself

Now let's go with the configuration:

  1. The first email [email protected] in the script will be your secondary proton domain address. This way you'll always get your email into your Proton account.
  2. The “first” and “second” third-party emails are going to be at other addresses where I will also be forwarding those emails to, in this example, Gmail and Apple iCloud email; this could be your Zendesk and Google Workspace account.

Additional Configuration

Once our email worker configuration is complete, we need to do one more thing, reconfigure our domain DNS SPF records to allow multiple servers to impersonate your email account. Assuming we have configured our DMARC and SPF records during the “add domain” process in Proton, or we have successfully enabled the Cloudflare Email Service we can then just update the SPF record (see the default records below); if for some reason the record does not exist then we will need to add a TXT record like the one in the example below:

Default SPF records Proton & Cloudflare

v=spf1 include:_spf.protonmail.ch mx ~all
v=spf1 include:_spf.mx.cloudflare.net ~all

New Records

v=spf1 include:simplelogin.co include:_spf.protonmail.ch include:_spf.google.com include:_spf.mx.cloudflare.net ~all

Let me explain the above SPF record, first, we established the version (spf1) and then we added all the servers that we want to allow to send email on our behalf. In this example, we have added Simple Login, Proton, Google (for Gmail), and Cloudflare Email Servers, this last one is particularly important, otherwise, you'll have a lot of impersonation errors when receiving or sending emails; lastly, the ~all refers to how strict the rules are, in this case, I choose ~ SOFTFAIL, but you can also use - it instead. Here is an incredibly detailed article on how SPF records work.

End Result

Use Cases

All this may or may not make sense to many of you, especially those who pick Proton for its privacy and security features. However, there is no lie in saying that there are many business use cases in which Proton Security and Privacy hinder the use of other business tools that can benefit you.

There are three personal limitations and use cases in which Proton just interferes with my use cases:

No Email inspection for automation tools

This sounds ironic, but in the business world this makes a lot of sense, some tools facilitate your life. One tool I use is related to Trip planning, TripIt, this tool automatically pulls all my flight and hotel reservations, adjusts the time zones accordingly and other things that help me get out with my Trip. Doing this manually is always a hit and miss.

Calendar

Yes, Proton has a new built-in Calendar, but this is still inferior, at least in terms of facilitating my day. There is no collaborative-shared calendar, for family or team calendars, there is no location feature, and yes there is a location field. But it has no integration with any Maps tool, privacy focus, open source or the big evils Google or Bing, Maps.

Cloud Drive

I love where Proton Drive is going, but it is still inferior to OneDrive for Business and other similar Cloud services.

Shared Mailbox

The biggest issue of all, a Business Account should have a Shared Mailbox service, period.


I hope these instructions help you circumvent Proton's limitations but also allow you to use the service (or support them). If you have any questions, please send me a Tweet.