Email Security Investigation Report (2025)
- Mithun GS
- Jul 2
- 3 min read
Subject Domains:
ProtonMail (proton.me)
Prepared for: Security Assessment, Public Transparency & Industry Comparison
✅ Overview of Security Categories Analyzed
Category | ProtonMail | Gmail | ||
DMARC Policy | v=DMARC1; p=reject; sp=reject; rua=... | v=DMARC1; p=quarantine; fo=1; aspf=s; adkim=s; | v=DMARC1; p=quarantine; adkim=s | v=DMARC1; p=none; sp=quarantine; rua=mailto:mailauth-reports@google.com |
SPF & DKIM Alignment | Strict (aspf=s, adkim=s) | Strict | Partial | Strict |
TLS Enforcement (MTA-STS) | Enforced + TLS-RPT | Enforced + TLS-RPT | Enforced + TLS-RPT | Enforced + TLS-RPT |
DNSSEC | Enabled with ECDSA + CDS + CDNSKEY | Enabled (no CDS) | Enabled (no CDS) | Partial/Managed |
Subdomain Protection | Enforced via sp=reject | Not Present | Not Present | Enforced |
DMARC Reporting | rua + ruf enabled | Not Present | Not Present | rua enabled |
S/MIME Encryption | Default + Required | Not Supported | Not Supported | Supported |
PGP Encryption | Optional | Default | Default | Not supported natively |
Email Branding (BIMI) | Enabled (No VMC) | Not Supported | Not Supported | Enabled (with VMC) |
DNS Rollover Automation (CDS/CDNSKEY) | Yes | No | No | No |
MX/SMTP TLS Grade (CheckTLS) | A+ (100% TLS score) | A | A | A |
Spoofing Resistance (Live Test) | 100% Block | Quarantined | Quarantined | Blocked |
🔒 Email Infrastructure & Transport Security
Fully enforced MTA-STS policy→ Validate here
Configured TLS-RPT to receive TLS downgrade attack reports
CheckTLS score: 114/114 (100%)→ Run CheckTLS
Enforces DMARC reject at 100% + strict alignment (s/s)→ Check DMARC via MXToolbox
ProtonMail
Enforces MTA-STS and has valid TLS reporting→ TLS Report - EasyDMARC
TLS successfully negotiated via STARTTLS on all MX→ Verify via CheckTLS
DMARC policy is set to quarantine with alignment
Gmail
TLS encryption enforced via MTA-STS
Strong email delivery hygiene
Verified BIMI & S/MIME support
MTA-STS Enforced (Verified via SMTP TLS test)
TLS available but limited reporting visibility
DMARC policy is quarantine, no rua/ruf visible
🌐 Domain Trust, DNS Security & Authenticity
DNSSEC + CDS + CDNSKEY = automation-ready and modern→ DNSViz Report
Uses ECDSA algorithm for lighter, secure DNS chain
ProtonMail / Tuta
DNSSEC signed, but no CDS/CDNSKEY, so not auto-managed→ Proton DNSSEC→ Tuta DNSSEC
Gmail
DNSSEC varies by infrastructure, internally managed→ Gmail DNSSEC report
🔐 Identity Protection & Sender Verification
S/MIME default, signatures appear in Outlook, Apple Mail
PGP optional, user-controlled key imports
BIMI without VMC, green checkmark visible in supporting clients
ProtonMail / Tuta
Use PGP only, which does not include identity verification by default
No support for S/MIME or verified organizational sending
No BIMI or sender trust visual indicators
Gmail
Offers both S/MIME and BIMI (VMC required) for enterprise accounts
⚖️ Final Risk Ratings (2025)
Category | Winner |
Email Spoof Resistance | |
TLS/MTA-STS Enforcement | All Domains (Equal) |
DNSSEC Integrity | |
Identity Verification (S/MIME + BIMI) | |
Reporting & Visibility | |
Encryption (User Privacy) | ProtonMail & Tuta |
Brand-Level Email Trust |
🏆 Final Verdict
Millionaire.email is currently the most secure and identity-verified email platform among individuals in 2025.
While ProtonMail and Tuta offer excellent content privacy, they still lack full S/MIME-based identity verification, BIMI branding, and consistent DMARC monitoring.
Gmail performs well on corporate security but lacks the customizability and transparency offered by independent domains.
Millionaire.email is the only platform that combines:
Email authentication enforcement (DMARC/SPF/DKIM)
TLS in transit enforcement
DNSSEC automation
Sender identity verification (S/MIME + BIMI)
It doesn't just secure the message — it secures you.
🔗 External Proof Links (Full List):
Comments